FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

texproc/expat2 -- billion laugh attack

Affected packages
expat < 2.4.1

Details

VuXML ID 5fa90ee6-bc9e-11eb-a287-e0d55e2a8bf9
Discovery 2013-02-21
Entry 2021-05-24

Kurt Seifried reports:

So here are the CVE's for the two big ones, libxml2 and expat. Both are affected by the expansion of internal entities (which can be used to consume resources) and external entities (which can cause a denial of service against other services, be used to port scan, etc.).

A billion laughs attack is a type of denial-of-service attack which is aimed at parsers of XML documents.

[source]

References

CVE Name CVE-2013-0340
URL https://blog.hartwork.org/posts/cve-2013-0340-billion-laughs-fixed-in-expat-2-4-0/
URL https://nvd.nist.gov/vuln/detail/CVE-2013-0340
URL https://www.openwall.com/lists/oss-security/2013/02/22/3

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.