Bug 922177 (CVE-2013-1864)

Summary: CVE-2013-1864 ptlib: denial of service processing certain XML documents
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: otte, veillard
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-11 21:05:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 922178    

Description Vincent Danen 2013-03-15 16:37:56 UTC 
A flaw in ptlib prior to 2.12.1 was fixed [1]; this prevents the "billion laughs" denial of service attack.  This attack is due to improper length checks/recursion detection during XML entity expansion.  If an attacker were able to provide as input a crafted XML document containing a large number of nested entity references, they could cause the application linked to ptlib (for example, Ekiga) to consume extreme amounts of CPU and memory.

[1] http://opalvoip.svn.sourceforge.net/viewvc/opalvoip?view=revision&revision=28856
Comment 1 Peter Robinson 2013-03-15 16:49:58 UTC 
Is this the same as RHBZ 883058? 

If so the fix was back ported to ptlib 2.10.10
Comment 2 Kurt Seifried 2013-03-15 17:07:20 UTC 
Added CVE as per http://www.openwall.com/lists/oss-security/2013/03/15/7
Comment 3 Vincent Danen 2013-03-15 17:18:28 UTC 
(In reply to comment #1)
> Is this the same as RHBZ 883058? 
> 
> If so the fix was back ported to ptlib 2.10.10

No, I don't believe so.  That issue is about not verifying UTF-8 prior to display leading to a crash.  This issue is about XML entity expansion and recursion, which doesn't lead to a crash but to excessive CPU/memory usage.

In bug 883058#c6 it talks about the same commit, but I don't think that reference was correct, as the upstream gnome bug for bug 883058 referenced https://git.gnome.org/browse/ekiga/commit/?id=7d09807257 as the fix, which is entirely different (ptlib/trunk/src/ptclib/pxml.cxx (this flaw) vs lib/engine/components/opal/opal-call.cpp (that bug)).
Comment 6 Huzaifa S. Sidhpurwala 2013-03-19 06:42:07 UTC 
This issue does not affect the version of ptlib as shipped with Fedora 17 and Fedora-18
Comment 7 Product Security DevOps Team 2021-06-11 21:05:02 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2013-1864