Bug 901546 (CVE-2014-3660) - VUL-0: CVE-2014-3660: libxml2: denial of service via recursive entity expansion
Summary: VUL-0: CVE-2014-3660: libxml2: denial of service via recursive entity expansion
Status: RESOLVED FIXED
Alias: CVE-2014-3660
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P2 - High : Major
Target Milestone: ---
Deadline: 2014-11-03
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/109373/
Whiteboard: maint:released:sle11-sp1:59509 maint:...
Keywords: DSLA_REQUIRED, DSLA_SOLUTION_PROVIDED
Depends on:
Blocks:
 
Reported: 2014-10-16 11:42 UTC by Victor Pereira
Modified: 2021-11-03 15:05 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
proposed patch (4.24 KB, patch)
2014-10-16 11:42 UTC, Victor Pereira 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2014-10-16 11:42:43 UTC 
Created attachment 610342 [details]
proposed patch

CVE-2014-3660

A denial of service flaw was found in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML file that, when processed by an application using libxml2, would lead to excessive CPU consumption (denial of service) based on excessive entity substitutions, even if entity substitution was disabled, which is the parser default behavior.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1149084
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3660
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3660
Comment 2 Swamp Workflow Management 2014-10-16 22:00:23 UTC 
bugbot adjusting priority
Comment 3 Bernhard Wiedemann 2014-10-17 15:00:13 UTC 
This is an autogenerated message for OBS integration:
This bug (901546) was mentioned in
https://build.opensuse.org/request/show/257383 13.1+12.3 / python-libxml2+libxml2
Comment 6 Vítězslav Čížek 2014-10-17 16:33:16 UTC 
All packages are submitted. Back to security-team.
Comment 8 Swamp Workflow Management 2014-10-20 08:31:08 UTC 
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2014-11-03.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/59447
Comment 9 Swamp Workflow Management 2014-10-29 15:04:55 UTC 
openSUSE-SU-2014:1330-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 901546
CVE References: CVE-2014-3660
Sources used:
openSUSE 13.1 (src):    libxml2-2.9.1-2.16.1, python-libxml2-2.9.1-2.16.1
openSUSE 12.3 (src):    libxml2-2.9.0-2.33.1, python-libxml2-2.9.0-2.33.1
Comment 10 Swamp Workflow Management 2014-11-17 22:04:55 UTC 
SUSE-SU-2014:1440-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 901546
CVE References: CVE-2014-3660
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    libxml2-2.7.6-0.31.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    libxml2-2.7.6-0.31.1, libxml2-python-2.7.6-0.31.1
SUSE Linux Enterprise Server 11 SP3 (src):    libxml2-2.7.6-0.31.1, libxml2-python-2.7.6-0.31.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    libxml2-2.7.6-0.31.1, libxml2-python-2.7.6-0.31.1
Comment 13 Swamp Workflow Management 2015-01-02 09:05:24 UTC 
SUSE-SU-2015:0003-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 901546,908376
CVE References: CVE-2014-3660
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    libxml2-2.9.1-10.1
SUSE Linux Enterprise Server 12 (src):    libxml2-2.9.1-10.1, python-libxml2-2.9.1-10.1
SUSE Linux Enterprise Desktop 12 (src):    libxml2-2.9.1-10.1, python-libxml2-2.9.1-10.1