mailing list archives
Re: CVEs for libxml2 and expat internal and external XML entity expansion
From: Tim <tim-security () sentinelchicken org>
Date: Fri, 22 Feb 2013 10:24:12 -0800
> Please use CVE-2013-0338 for libxml2 internal entity expansion
Hasn't libxml2 got countermeasures for that?
Yeah, I believe so. Last I looked, I came up with recommendations for
folks to use xmlCtxtUseOptions with XML_PARSE_NOENT, XML_PARSE_NONET,
and XML_PARSE_DTDLOAD set appropriately. However, it wasn't 100%
clear to me at the time if these addressed all edge cases. In
particular, I didn't care much about the DoS cases at the time, but
hopefully if DTDs are ignored, then it wouldn't be an issue.
I'd love to hear from an expert on this matter. For sure the
documentation needs to be improved...
> Please use CVE-2013-0341 for expat external entities expansion
I don't think expat resolves external entities at all. Therefore, the
vulnerability resides entirely in the code which uses expat.
Last I checked, I came to the same conclusion.