Bug 787890 (CVE-2012-3514) - CVE-2012-3514 ocaml-xml-light: hash table collisions CPU usage DoS
Summary: CVE-2012-3514 ocaml-xml-light: hash table collisions CPU usage DoS
Keywords:
Status: CLOSED NEXTRELEASE
Alias: CVE-2012-3514
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 787904 (view as bug list)
Depends On:
Blocks: hashdos, oCERT-2011-003 788183
TreeView+ depends on / blocked
 
Reported: 2012-02-07 01:28 UTC by Kurt Seifried
Modified: 2021-02-24 13:13 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2014-06-12 18:37:49 UTC
Embargoed:


Attachments (Terms of Use)

Description Kurt Seifried 2012-02-07 01:28:25 UTC
Juraj Somorovsky reported that certain XML parsers/servers are affected by the
same, or similar, flaw as the hash table collisions CPU usage denial of
service.  Sending a specially crafted message to an XML service can result in
longer processing time, which could lead to a denial of service.  It is
reported that this attack on XML can be applied on different XML nodes (such as
entities, element attributes, namespaces, various elements in the XML security,
etc.).

ocaml-xml-light is written in ocaml and makes significant use of hash tables. A 
discussion of a fix for hash tables in ocaml is taking place, once that is fixed this bug should be a non-issue (bug #787888).

Comment 1 Kurt Seifried 2012-02-07 16:31:51 UTC
*** Bug 787904 has been marked as a duplicate of this bug. ***

Comment 2 Kurt Seifried 2012-04-03 16:48:44 UTC
ocaml should contain a fixed implementation of hash tables in version 4.00:

====
According to Xavier Leroy Xavier.Leroy:

We decided to skip the 3.13 release entirely and go straight to 4.00.
The 4.00 release is scheduled for June 2012.

http://caml.inria.fr/mantis/view.php?id=5572
====

at that time this software can be corrected to use the optional randomized hash table implementation.

Comment 3 Richard W.M. Jones 2012-04-03 17:03:11 UTC
How did I not see this bug before?  Anyway, ocaml-xml-light
is distributed in RHEL 5 & 6.  Upstream is dead(-ish).

Our actual usage of XmlLight in RHEL (by virt-top) is not
likely to be exploitable, because:

(1) it's only used to parse the output of libvirtd, which
is not generally modifiable by non-root users, and

(2) even root can only be modify it in very limited ways
(you cannot, for example, add arbitrary XML nodes, which
would appear to make it impossible to exploit this bug).

Comment 6 Kurt Seifried 2012-08-21 05:41:38 UTC
Nicolas Cannasse ncannasse reports:

Xml-Light has been moved to google code SVN here :
http://ocamllibs.googlecode.com/svn/trunk/xml-light/

I've applied a fix in r234 by using String Map instead of Hashtbl for DTD proof.

Comment 7 Kurt Seifried 2012-08-21 05:53:06 UTC
Added CVE as per http://www.openwall.com/lists/oss-security/2012/08/21/2

Comment 8 Tomas Hoger 2012-08-21 08:21:13 UTC
(In reply to comment #6)
> Xml-Light has been moved to google code SVN here :
> http://ocamllibs.googlecode.com/svn/trunk/xml-light/
> 
> I've applied a fix in r234 by using String Map instead of Hashtbl for DTD
> proof.

https://code.google.com/p/ocamllibs/source/detail?r=234

Comment 9 Richard W.M. Jones 2012-08-21 08:25:37 UTC
Build for Rawhide:
http://koji.fedoraproject.org/koji/taskinfo?taskID=4408967

Comment 10 Richard W.M. Jones 2012-08-21 08:37:54 UTC
I also did builds for F18, F17.

Comment 11 Fedora Update System 2012-08-31 01:00:12 UTC
ocaml-xml-light-2.3-0.1.svn234.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2012-09-18 00:02:12 UTC
ocaml-xml-light-2.3-0.1.svn234.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Tomas Hoger 2014-06-12 18:37:49 UTC
This issue does not affect any OCaml applications shipped in Red Hat Enterprise Linux 6.  OCaml is only shipped via unsupported Optional repository as a build dependency.  Therefore, this issue is not planned to be addressed in future Red Hat Enterprise Linux 6 updates.  The fix is included in OCaml packages shipped as part of Red Hat Enterprise Linux 7.

Statement:

The Red Hat Security Response Team has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.


Note You need to log in before you can comment on or make changes to this bug.