Red Hat Bugzilla – Bug 461015
CVE-2008-3529 libxml2: long entity name heap buffer overflow
Last modified: 2016-03-04 05:42:37 EST
It was discovered, that libxml2 does not properly handle long XML entity names. In the xmlParseAttValueComplex() function in parser.c, when entity name is not substituted with entity value, but is sent to output unchanged, buffer used to store entity name may not be grown sufficiently in case of long entity names, resulting in a heap buffer overflow.
Issue is already fixed upstream in version 2.7.0.
Created attachment 315648 [details]
Proposed patch from Daniel Veillard (against 2.6.32)