Bug 888759 - unbound: unbound-anchor does not disable internal XML entity expansion
Summary: unbound: unbound-anchor does not disable internal XML entity expansion
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: unbound
Version: 18
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Paul Wouters
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 888729
TreeView+ depends on / blocked
 
Reported: 2012-12-19 12:39 UTC by Florian Weimer
Modified: 2013-06-11 09:06 UTC (History)
2 users (show)

Fixed In Version: unbound-1.4.20-3.fc18
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-01-05 06:58:45 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Florian Weimer 2012-12-19 12:39:17 UTC 
xml_parse_setup() does not disable XML entity expansion, technically introducing a denial-of-service issue ("billion laughs attack").  I say "technically" because the file is trusted and its signature is verified before parsing.  But given that it was downloaded from the network, fixing this is still a good idea.

 Adding the following handler using

  XML_SetEntityDeclHandler(parser, EntityDeclHandler);

should be sufficient to address this issue.

// Stop the parser when an entity declaration is encountered.
static void
EntityDeclHandler(void *userData,
		  const XML_Char *entityName, int is_parameter_entity,
		  const XML_Char *value, int value_length,
		  const XML_Char *base, const XML_Char *systemId,
		  const XML_Char *publicId, const XML_Char *notationName)
{
  XML_StopParser((XML_Parser)userData, XML_FALSE);
}
Comment 1 Fedora Update System 2012-12-21 04:05:04 UTC 
unbound-1.4.19-1.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/unbound-1.4.19-1.fc18
Comment 2 Fedora Update System 2012-12-21 14:51:12 UTC 
unbound-1.4.19-1.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/unbound-1.4.19-1.fc17
Comment 3 Fedora Update System 2012-12-21 16:22:57 UTC 
unbound-1.4.19-1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/unbound-1.4.19-1.el6
Comment 4 Fedora Update System 2012-12-21 20:05:30 UTC 
Package unbound-1.4.19-1.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing unbound-1.4.19-1.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-20836/unbound-1.4.19-1.fc18
then log in and leave karma (feedback).
Comment 5 Fedora Update System 2013-01-05 06:58:47 UTC 
unbound-1.4.19-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2013-01-11 23:29:39 UTC 
unbound-1.4.19-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2013-01-16 17:27:38 UTC 
unbound-1.4.19-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2013-04-17 03:04:34 UTC 
unbound-1.4.20-6.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/unbound-1.4.20-6.fc19
Comment 9 Fedora Update System 2013-04-17 04:23:50 UTC 
unbound-1.4.20-1.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/unbound-1.4.20-1.fc18
Comment 10 Fedora Update System 2013-04-19 15:00:56 UTC 
unbound-1.4.20-7.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/unbound-1.4.20-7.fc19
Comment 11 Fedora Update System 2013-06-01 04:07:29 UTC 
unbound-1.4.20-3.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/unbound-1.4.20-3.fc18
Comment 12 Fedora Update System 2013-06-11 09:06:51 UTC 
unbound-1.4.20-3.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.