2154790 – (CVE-2021-4249) CVE-2021-4249 ghc-xml-conduit: infinite loop via crafted xml

Bug 2154790 (CVE-2021-4249) - CVE-2021-4249 ghc-xml-conduit: infinite loop via crafted xml

Summary: CVE-2021-4249 ghc-xml-conduit: infinite loop via crafted xml

Keywords:
Status:	NEW
Alias:	CVE-2021-4249
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-12-19 09:29 UTC by Marian Rehak
Modified:	2023-07-07 08:32 UTC (History)
CC List:	1 user (show)
Fixed In Version:	ghc-xml-conduit 1.9.1.0
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Marian Rehak 2022-12-19 09:29:49 UTC

Affected is an unknown function of the file xml-conduit/src/Text/XML/Stream/Parse.hs of the component DOCTYPE Entity Expansion Handler. The manipulation leads to infinite loop. It is possible to launch the attack remotely. The identifier of this vulnerability is VDB-216204.

Reference:

https://vuldb.com/?id.216204
https://github.com/snoyberg/xml/commit/4be1021791dcdee8b164d239433a2043dc0939ea

Note You need to log in before you can comment on or make changes to this bug.