FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2013-0339

This CVE name corresponds to:

Entered	Topic
2013-03-29	libxml2 -- cpu consumption Dos

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

CVE-2013-0339 at cve.mitre.org

Details

Type	Candidate
Name	CVE-2013-0339
Phase	Assigned(20121206)

Description

libxml2 through 2.9.1 does not properly handle external entities expansion unless an application developer uses the xmlSAX2ResolveEntity or xmlSetExternalEntityLoader function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because libxml2 already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed and each affected application would need its own CVE.

References

Source	Reference
MLIST	[oss-security] 20130221 CVE Guidance for Libraries and Resource-Consumption DoS
MLIST	[oss-security] 20130221 CVEs for libxml2 and expat internal and external XML entity expansion
MLIST	[oss-security] 20130412 Re-evaluating expat/libxml2 CVE assignments
MLIST	[oss-security] 20131028 Re: CVE Request: libxml2 external parsed entities issue
MLIST	[oss-security] 20131029 Re: CVE Request: libxml2 external parsed entities issue
MLIST	[oss-security] 20131029 Re: CVE Request: libxml2 external parsed entities issue
MISC	https://bugzilla.redhat.com/show_bug.cgi?id=915149
MISC	https://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f
DEBIAN	DSA-2652
SUSE	SUSE-SU-2013:1627
UBUNTU	USN-1904-1
UBUNTU	USN-1904-2
SECUNIA	52662
SECUNIA	54172
SECUNIA	55568