This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 787890 - (CVE-2012-3514) CVE-2012-3514 ocaml-xml-light: hash table collisions CPU usage DoS
CVE-2012-3514 ocaml-xml-light: hash table collisions CPU usage DoS
Status: CLOSED NEXTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20120206,repor...
: Security
: 787904 (view as bug list)
Depends On:
Blocks: hashdos/oCERT-2011-003 788183
  Show dependency treegraph
 
Reported: 2012-02-06 20:28 EST by Kurt Seifried
Modified: 2015-07-31 11:11 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-12 14:37:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Kurt Seifried 2012-02-06 20:28:25 EST
Juraj Somorovsky reported that certain XML parsers/servers are affected by the
same, or similar, flaw as the hash table collisions CPU usage denial of
service.  Sending a specially crafted message to an XML service can result in
longer processing time, which could lead to a denial of service.  It is
reported that this attack on XML can be applied on different XML nodes (such as
entities, element attributes, namespaces, various elements in the XML security,
etc.).

ocaml-xml-light is written in ocaml and makes significant use of hash tables. A 
discussion of a fix for hash tables in ocaml is taking place, once that is fixed this bug should be a non-issue (bug #787888).
Comment 1 Kurt Seifried 2012-02-07 11:31:51 EST
*** Bug 787904 has been marked as a duplicate of this bug. ***
Comment 2 Kurt Seifried 2012-04-03 12:48:44 EDT
ocaml should contain a fixed implementation of hash tables in version 4.00:

====
According to Xavier Leroy Xavier.Leroy@inria.fr:

We decided to skip the 3.13 release entirely and go straight to 4.00.
The 4.00 release is scheduled for June 2012.

http://caml.inria.fr/mantis/view.php?id=5572
====

at that time this software can be corrected to use the optional randomized hash table implementation.
Comment 3 Richard W.M. Jones 2012-04-03 13:03:11 EDT
How did I not see this bug before?  Anyway, ocaml-xml-light
is distributed in RHEL 5 & 6.  Upstream is dead(-ish).

Our actual usage of XmlLight in RHEL (by virt-top) is not
likely to be exploitable, because:

(1) it's only used to parse the output of libvirtd, which
is not generally modifiable by non-root users, and

(2) even root can only be modify it in very limited ways
(you cannot, for example, add arbitrary XML nodes, which
would appear to make it impossible to exploit this bug).
Comment 6 Kurt Seifried 2012-08-21 01:41:38 EDT
Nicolas Cannasse ncannasse@motion-twin.com reports:

Xml-Light has been moved to google code SVN here :
http://ocamllibs.googlecode.com/svn/trunk/xml-light/

I've applied a fix in r234 by using String Map instead of Hashtbl for DTD proof.
Comment 7 Kurt Seifried 2012-08-21 01:53:06 EDT
Added CVE as per http://www.openwall.com/lists/oss-security/2012/08/21/2
Comment 8 Tomas Hoger 2012-08-21 04:21:13 EDT
(In reply to comment #6)
> Xml-Light has been moved to google code SVN here :
> http://ocamllibs.googlecode.com/svn/trunk/xml-light/
> 
> I've applied a fix in r234 by using String Map instead of Hashtbl for DTD
> proof.

https://code.google.com/p/ocamllibs/source/detail?r=234
Comment 9 Richard W.M. Jones 2012-08-21 04:25:37 EDT
Build for Rawhide:
http://koji.fedoraproject.org/koji/taskinfo?taskID=4408967
Comment 10 Richard W.M. Jones 2012-08-21 04:37:54 EDT
I also did builds for F18, F17.
Comment 11 Fedora Update System 2012-08-30 21:00:12 EDT
ocaml-xml-light-2.3-0.1.svn234.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2012-09-17 20:02:12 EDT
ocaml-xml-light-2.3-0.1.svn234.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Tomas Hoger 2014-06-12 14:37:49 EDT
This issue does not affect any OCaml applications shipped in Red Hat Enterprise Linux 6.  OCaml is only shipped via unsupported Optional repository as a build dependency.  Therefore, this issue is not planned to be addressed in future Red Hat Enterprise Linux 6 updates.  The fix is included in OCaml packages shipped as part of Red Hat Enterprise Linux 7.

Statement:

The Red Hat Security Response Team has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Note You need to log in before you can comment on or make changes to this bug.