Bug 1149084 (CVE-2014-3660)

Summary: CVE-2014-3660 libxml2: denial of service via recursive entity expansion
Product: [Other] Security Response Reporter: David Jorm <djorm>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aneelica, chazlett, finke.lamein, fkrska, jrusnack, mcermak, mdshaikh, mjc, ohudlick, security-response-team, veillard
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libxml2 2.9.2 Doc Type: Bug Fix
Doc Text:
A denial of service flaw was found in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML file that, when processed by an application using libxml2, would lead to excessive CPU consumption (denial of service) based on excessive entity substitutions, even if entity substitution was disabled, which is the parser default behavior.
 Story Points: ---
Clone Of:
: 1161841 (view as bug list) Environment:
Last Closed: 2014-11-20 19:09:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1149085, 1149086, 1149087, 1149088, 1161841    
Bug Blocks: 1149089    
Attachments:
Description Flags
Proposed upstream patch
none
Patch for RHEL-7
none
Patch for RHEL-6
none
Patch for RHEL-5 none

Description David Jorm 2014-10-03 08:05:58 UTC 
IssueDescription:

A denial of service flaw was found in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML file that, when processed by an application using libxml2, would lead to excessive CPU consumption (denial of service) based on excessive entity substitutions, even if entity substitution was disabled, which is the parser default behavior.
Comment 3 Huzaifa S. Sidhpurwala 2014-10-07 05:26:29 UTC 
Created attachment 944444 [details]
Proposed upstream patch
Comment 4 Daniel Veillard 2014-10-13 01:53:07 UTC 
Created attachment 946196 [details]
Patch for RHEL-7
Comment 5 Daniel Veillard 2014-10-13 02:56:31 UTC 
Created attachment 946225 [details]
Patch for RHEL-6
Comment 6 Daniel Veillard 2014-10-13 02:58:07 UTC 
Created attachment 946226 [details]
Patch for RHEL-5

This one was actually quite harder to come by, the backport required intimate knowledge of library internals.
Comment 7 Huzaifa S. Sidhpurwala 2014-10-16 08:34:09 UTC 
Public via:

https://git.gnome.org/browse/libxml2/commit/?id=be2a7edaf289c5da74a4f9ed3a0b6c733e775230
Comment 8 errata-xmlrpc 2014-10-16 17:49:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2014:1655 https://rhn.redhat.com/errata/RHSA-2014-1655.html
Comment 9 Fedora Update System 2014-10-18 16:58:16 UTC 
libxml2-2.9.1-3.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Finke Lamein 2014-10-23 07:44:52 UTC 
Just wondering, will the RHEL5 patch hit the repositories soon?
Comment 13 Fedora Update System 2014-11-01 17:15:28 UTC 
libxml2-2.9.1-6.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 errata-xmlrpc 2014-11-20 18:52:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:1885 https://rhn.redhat.com/errata/RHSA-2014-1885.html
Comment 16 Fedora Update System 2014-11-22 12:42:33 UTC 
libxml2-2.9.1-2.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.