Bug 458086 (CVE-2008-3281) - CVE-2008-3281 libxml2 denial of service
Summary: CVE-2008-3281 libxml2 denial of service
Alias: CVE-2008-3281
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://nvd.nist.gov/nvd.cfm?cvename=C...
Depends On: 458091 458092 458093 458094 458095 458096 459712 459713 459714
TreeView+ depends on / blocked
Reported: 2008-08-06 13:59 UTC by Red Hat Product Security
Modified: 2019-09-29 12:26 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2013-03-26 18:15:22 UTC

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0836 normal SHIPPED_LIVE Moderate: libxml2 security update 2008-08-26 08:38:09 UTC

Description Red Hat Product Security 2008-08-06 13:59:19 UTC
Daniel Veillard discovered that a specially crafted document can lead to a
recursive evaluation of entities, the result being an exhaustion of memory
and CPU usage


Red Hat would like to thank Andreas Solberg for responsibly disclosing this

Comment 8 Josh Bressers 2008-08-06 15:13:04 UTC
I was mistaken,
Andreas Solberg is the discoverer of this flaw.

Comment 17 Tomas Hoger 2008-08-20 18:11:23 UTC
Public now via:

Comment 19 Fedora Update System 2008-09-10 06:44:24 UTC
libxml2-2.6.32-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 20 Fedora Update System 2008-09-10 07:04:15 UTC
libxml2-2.6.32-3.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 21 Dmitry Butskoy 2008-10-02 16:04:59 UTC
It seems that it introduces some issues with createrepo command
(which uses libxml2-python and libxml2).

Sometimes the changelog entries of packages contain "<" and/or ">" symbols. For example, a fragment of the changelog of "k3b" package:

> * Wed Oct  6 02:00:00 2004 Harald Hoyer <harald@redhat.com> 0:0.11.17-1
> - version 0.11.17
> - revert the dao -> tao change
> - add the suid feature to every app automatically

note the "->" in the line:

> - revert the dao -> tao change

When I create my local repodata ("cd somewhere; createrepo ."), the correspond fragment appears in the "repodata/other.xml.gz" file, in the form of:

> - revert the dao -&gt; tao change

Then, when I update my repodata by "createrepo --update .", I receive an error:

> Scanning old repo data
> Indexed 2997 base nodes
> Indexed 3001 filelist nodes
> /var/ftp/.4/fedora-8/fedora/i386/./repodata/other.xml.gz:118813: parser error : Detected an entity reference loop
> - revert the dao -&gt; tao change
>                       ^
> Traceback (most recent call last):
>   File "/usr/share/createrepo/genpkgmetadata.py", line 722, in <module>
>     main(sys.argv[1:])
>   File "/usr/share/createrepo/genpkgmetadata.py", line 645, in main
>     mdgen.doPkgMetadata(directory)
>   File "/usr/share/createrepo/genpkgmetadata.py", line 161, in doPkgMetadata
>     basefile, flfile, otherfile, opts)
>   File "/usr/share/createrepo/readMetadata.py", line 41, in __init__
>     self.scan()
>   File "/usr/share/createrepo/readMetadata.py", line 64, in scan
>     root = libxml2.parseFile(self.files['other']).getRootElement()
>   File "/usr/lib/python2.5/site-packages/libxml2.py", line 1279, in parseFile
>     if ret is None:raise parserError('xmlParseFile() failed')
> libxml2.parserError: xmlParseFile() failed

IOW, the initial "full" createrepo run seems OK, the subsequent run with "--update" is failed.

Any comments?

Comment 22 Dmitry Butskoy 2008-10-02 16:15:58 UTC
Forget, the latest libxml2-2.7.1 has no such an issue...

Comment 23 Daniel Veillard 2008-10-02 16:24:41 UTC
w.r.t. comment #21 the first fix had that problem, we pushed other updates
using a different fix without that problem later. 2.7.x fixes it too


Comment 24 Vincent Danen 2013-03-26 18:15:22 UTC
This was fixed in RHEL 2.1, 3, 4, and 5 via:


Note You need to log in before you can comment on or make changes to this bug.