Juraj Somorovsky reported that certain XML parsers/servers are affected by the same, or similar, flaw as the hash table collisions CPU usage denial of service. Sending a specially crafted message to an XML service can result in longer processing time, which could lead to a denial of service. It is reported that this attack on XML can be applied on different XML nodes (such as entities, element attributes, namespaces, various elements in the XML security, etc.). ocaml-xml-light is written in ocaml and makes significant use of hash tables. A discussion of a fix for hash tables in ocaml is taking place, once that is fixed this bug should be a non-issue (bug #787888).
*** Bug 787904 has been marked as a duplicate of this bug. ***
ocaml should contain a fixed implementation of hash tables in version 4.00: ==== According to Xavier Leroy Xavier.Leroy: We decided to skip the 3.13 release entirely and go straight to 4.00. The 4.00 release is scheduled for June 2012. http://caml.inria.fr/mantis/view.php?id=5572 ==== at that time this software can be corrected to use the optional randomized hash table implementation.
How did I not see this bug before? Anyway, ocaml-xml-light is distributed in RHEL 5 & 6. Upstream is dead(-ish). Our actual usage of XmlLight in RHEL (by virt-top) is not likely to be exploitable, because: (1) it's only used to parse the output of libvirtd, which is not generally modifiable by non-root users, and (2) even root can only be modify it in very limited ways (you cannot, for example, add arbitrary XML nodes, which would appear to make it impossible to exploit this bug).
Nicolas Cannasse ncannasse reports: Xml-Light has been moved to google code SVN here : http://ocamllibs.googlecode.com/svn/trunk/xml-light/ I've applied a fix in r234 by using String Map instead of Hashtbl for DTD proof.
Added CVE as per http://www.openwall.com/lists/oss-security/2012/08/21/2
(In reply to comment #6) > Xml-Light has been moved to google code SVN here : > http://ocamllibs.googlecode.com/svn/trunk/xml-light/ > > I've applied a fix in r234 by using String Map instead of Hashtbl for DTD > proof. https://code.google.com/p/ocamllibs/source/detail?r=234
Build for Rawhide: http://koji.fedoraproject.org/koji/taskinfo?taskID=4408967
I also did builds for F18, F17.
ocaml-xml-light-2.3-0.1.svn234.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
ocaml-xml-light-2.3-0.1.svn234.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
This issue does not affect any OCaml applications shipped in Red Hat Enterprise Linux 6. OCaml is only shipped via unsupported Optional repository as a build dependency. Therefore, this issue is not planned to be addressed in future Red Hat Enterprise Linux 6 updates. The fix is included in OCaml packages shipped as part of Red Hat Enterprise Linux 7. Statement: The Red Hat Security Response Team has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.