[xml] CERT Finland: Vulnerabilities in XML libraries including LibXML2

A posting on the xml-dev mailing list refers to an advisory notice on
the CERT Finland website, which reports vulnerabilities in various XML
libraries, among which LibXML2 is listed.

| Several vulnerabilities regarding the parsing of XML data have
| been found in XML library implementations. CERT-FI coordinated
| the remediation efforts of these vulnerabilities.

| The vulnerabilities are related to the parsing of XML elements
| with unexpected byte values and recursive parentheses, which
| cause the program to access memory out of bounds, or to loop
| indefinitely. The effects of the vulnerabilities include denial
| of service and potentially code execution. The vulnerabilities
| can be exploited by enticing a user to open a specially modified
| file, or by submitting it to a server that handles XML content.


LibXML2 is in good company, as Apache Xerces and some version of Sun
JDK and JRE are also listed.

The WWW.CERT.FI server currently does not reply, so here is the contact
information listed on the page:

  vulncoord <at> ficora.fi

  Please quote the advisory reference
  [FICORA #245608] in the subject line

Michael Ludwig

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]