It was found that LuaExpat, a SAX XML parser based on the Expat library, is prone to XML "billion laughs attack", as described in: [1] http://www.ibm.com/developerworks/xml/library/x-tipcfsx/index.html#N100F1 A remote attacker could provide a specially-crafted XML file, which once opened in an application, linked against LuaExpat, could cause that application to crash. References: [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629225 [3] http://matthewwild.co.uk/projects/luaexpat/luaexpat-1.2.0.tar.gz
The updates for lua-expat package, as shipped with Fedora release of 14 and 15, and as shipped within EPEL-5 and EPEL-6 repositories, addressing this issue, has been already scheduled. Relevant name-version-releases of those are: 1) lua-expat-1.2.0-1.fc14 for F-14, 2) lua-expat-1.2.0-1.fc15 for F-15, 3) lua-expat-1.2.0-1.el5 for EPEL-5, 4) lua-expat-1.2.0-1.el6 for EPEL-6. This issue affects the version of the lua-expat package, as shipped with Fedora release of 13. Please schedule an update.
Created lua-expat tracking bugs for this issue Affects: fedora-13 [bug 711029]
CVE request: [4] http://www.openwall.com/lists/oss-security/2011/06/06/4
The CVE identifier of CVE-2011-2188 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2011/06/06/19
F-13 is EOL so closing.