[lxml-dev] Fwd: [xml] Security fix for libxml2

Stefan Behnel stefan_ml at behnel.de
Wed Aug 20 20:50:26 CEST 2008 

FYI

-------- Original-Message --------
Subject: [xml] Security fix for libxml2
Date: Wed, 20 Aug 2008 19:00:51 +0200
From: Daniel Veillard <veillard at redhat.com>
To: xml at gnome.org

  Bad news, when checking against recursive entities expansion problem
back when it was made official (c.f. the billion laught attack circa
2004) I had checked for the normal recursion, but when happening in
an attribute value the resource consumption is way faster and the
recursion detection in place is not sufficient to catch the problem.

  Basically when this happen within an attribute just checking for
a recursion depth is not sufficient, and the only good method I could
find was to count the number of entities replacement taking place while
parsing a given document, and drop parsing after half a million
substitution. I think it's a fair default process and what the patches
below implements for various libxml2 versions, but i can understand that
in some case that may be problematic. So i intend in the next release
(2.7.0 hopefully available soon) to add a parser flag removing the
hardcoded limits (there is also a maximum document depth in place).

  Distributions have been made aware of the problem for a couple of
weeks and updates should be available soon from normal update channels
I'm updating SVN with the fix too,

Daniel
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: libxml2-2.6.32-billion_laught.patch
Url: http://codespeak.net/pipermail/lxml-dev/attachments/20080820/5bd0f960/attachment-0003.diff 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: libxml2-2.6.26-billion_laught.patch
Url: http://codespeak.net/pipermail/lxml-dev/attachments/20080820/5bd0f960/attachment-0004.diff 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: libxml2-2.6.16-billion_laught.patch
Url: http://codespeak.net/pipermail/lxml-dev/attachments/20080820/5bd0f960/attachment-0005.diff

More information about the lxml-dev mailing list