As reported on oss-security [1]: So here are the CVE's for the two big ones, libxml2 and expat. Both are affected by the expansion of internal entities (which can be used to consume resources) and external entities (which can cause a denial of service against other services, be used to port scan, etc.). To be clear: ... ==================== External entity expansion refers to the loading of external resources such as XML entities from another server or a local file: ==================== <!DOCTYPE external [ <!ENTITY ee SYSTEM "http://www.example.org/some.xml"> ]> <root>ⅇ</root> <!DOCTYPE external [ <!ENTITY ee SYSTEM "file:///PATH/TO/simple.xml"> ]> <root>ⅇ</root> Which can cause resources to be consumed or can result in port scanning /application scanning information being sent to the attacker. ... Please use CVE-2013-0341 for expat external entities expansion There is, however, some debate on whether expat resolves external entities at all, which would make the vulnerability inside code which uses expat [2]. [1] http://www.openwall.com/lists/oss-security/2013/02/22/4 [2] http://www.openwall.com/lists/oss-security/2013/02/22/21
Expat does not read or parse external entities directly. The developer using expat has to explicitly set ExternalEntityRefHandler, then create "a subsidiary parser with XML_ExternalEntityParserCreate". This flaw can be mitigated by not expanding external entities, specially the ones which come from untrusted sources. Therefore expat by default does not expand external entities and provides a mechanism for applications using it, to disable such expansion via the API Closing this flaw as wontfix. Based on a similar reason, MITRE has decided to reject the CVE id associated with this flaw.