Bug 787890 (CVE-2012-3514)
| Summary: | CVE-2012-3514 ocaml-xml-light: hash table collisions CPU usage DoS | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Kurt Seifried <kseifried> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NEXTRELEASE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | rjones, security-response-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-06-12 18:37:49 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 770929, 788183 | ||
|
Description
Kurt Seifried
2012-02-07 01:28:25 UTC
*** Bug 787904 has been marked as a duplicate of this bug. *** ocaml should contain a fixed implementation of hash tables in version 4.00: ==== According to Xavier Leroy Xavier.Leroy: We decided to skip the 3.13 release entirely and go straight to 4.00. The 4.00 release is scheduled for June 2012. http://caml.inria.fr/mantis/view.php?id=5572 ==== at that time this software can be corrected to use the optional randomized hash table implementation. How did I not see this bug before? Anyway, ocaml-xml-light is distributed in RHEL 5 & 6. Upstream is dead(-ish). Our actual usage of XmlLight in RHEL (by virt-top) is not likely to be exploitable, because: (1) it's only used to parse the output of libvirtd, which is not generally modifiable by non-root users, and (2) even root can only be modify it in very limited ways (you cannot, for example, add arbitrary XML nodes, which would appear to make it impossible to exploit this bug). Nicolas Cannasse ncannasse reports: Xml-Light has been moved to google code SVN here : http://ocamllibs.googlecode.com/svn/trunk/xml-light/ I've applied a fix in r234 by using String Map instead of Hashtbl for DTD proof. Added CVE as per http://www.openwall.com/lists/oss-security/2012/08/21/2 (In reply to comment #6) > Xml-Light has been moved to google code SVN here : > http://ocamllibs.googlecode.com/svn/trunk/xml-light/ > > I've applied a fix in r234 by using String Map instead of Hashtbl for DTD > proof. https://code.google.com/p/ocamllibs/source/detail?r=234 Build for Rawhide: http://koji.fedoraproject.org/koji/taskinfo?taskID=4408967 I also did builds for F18, F17. ocaml-xml-light-2.3-0.1.svn234.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. ocaml-xml-light-2.3-0.1.svn234.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. This issue does not affect any OCaml applications shipped in Red Hat Enterprise Linux 6. OCaml is only shipped via unsupported Optional repository as a build dependency. Therefore, this issue is not planned to be addressed in future Red Hat Enterprise Linux 6 updates. The fix is included in OCaml packages shipped as part of Red Hat Enterprise Linux 7. Statement: The Red Hat Security Response Team has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. |