Bug 901546 - (CVE-2014-3660) VUL-0: CVE-2014-3660: libxml2: denial of service via recursive entity expansion
(CVE-2014-3660)
VUL-0: CVE-2014-3660: libxml2: denial of service via recursive entity expansion
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P2 - High : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/109373/
maint:released:sle11-sp1:59509 maint:...
: DSLA_REQUIRED, DSLA_SOLUTION_PROVIDED
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-10-16 11:42 UTC by Victor Pereira
Modified: 2021-11-03 15:05 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
proposed patch (4.24 KB, patch)
2014-10-16 11:42 UTC, Victor Pereira
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2014-10-16 11:42:43 UTC
Created attachment 610342 [details]
proposed patch

CVE-2014-3660

A denial of service flaw was found in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML file that, when processed by an application using libxml2, would lead to excessive CPU consumption (denial of service) based on excessive entity substitutions, even if entity substitution was disabled, which is the parser default behavior.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1149084
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3660
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3660
Comment 2 Swamp Workflow Management 2014-10-16 22:00:23 UTC
bugbot adjusting priority
Comment 3 Bernhard Wiedemann 2014-10-17 15:00:13 UTC
This is an autogenerated message for OBS integration:
This bug (901546) was mentioned in
https://build.opensuse.org/request/show/257383 13.1+12.3 / python-libxml2+libxml2
Comment 6 Vítězslav Čížek 2014-10-17 16:33:16 UTC
All packages are submitted. Back to security-team.
Comment 8 Swamp Workflow Management 2014-10-20 08:31:08 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2014-11-03.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/59447
Comment 9 Swamp Workflow Management 2014-10-29 15:04:55 UTC
openSUSE-SU-2014:1330-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 901546
CVE References: CVE-2014-3660
Sources used:
openSUSE 13.1 (src):    libxml2-2.9.1-2.16.1, python-libxml2-2.9.1-2.16.1
openSUSE 12.3 (src):    libxml2-2.9.0-2.33.1, python-libxml2-2.9.0-2.33.1
Comment 10 Swamp Workflow Management 2014-11-17 22:04:55 UTC
SUSE-SU-2014:1440-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 901546
CVE References: CVE-2014-3660
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    libxml2-2.7.6-0.31.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    libxml2-2.7.6-0.31.1, libxml2-python-2.7.6-0.31.1
SUSE Linux Enterprise Server 11 SP3 (src):    libxml2-2.7.6-0.31.1, libxml2-python-2.7.6-0.31.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    libxml2-2.7.6-0.31.1, libxml2-python-2.7.6-0.31.1
Comment 13 Swamp Workflow Management 2015-01-02 09:05:24 UTC
SUSE-SU-2015:0003-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 901546,908376
CVE References: CVE-2014-3660
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    libxml2-2.9.1-10.1
SUSE Linux Enterprise Server 12 (src):    libxml2-2.9.1-10.1, python-libxml2-2.9.1-10.1
SUSE Linux Enterprise Desktop 12 (src):    libxml2-2.9.1-10.1, python-libxml2-2.9.1-10.1