A posting on the xml-dev mailing list refers to an advisory notice on the CERT Finland website, which reports vulnerabilities in various XML libraries, among which LibXML2 is listed.
| Several vulnerabilities regarding the parsing of XML data have | been found in XML library implementations. CERT-FI coordinated | the remediation efforts of these vulnerabilities. | The vulnerabilities are related to the parsing of XML elements | with unexpected byte values and recursive parentheses, which | cause the program to access memory out of bounds, or to loop | indefinitely. The effects of the vulnerabilities include denial | of service and potentially code execution. The vulnerabilities | can be exploited by enticing a user to open a specially modified | file, or by submitting it to a server that handles XML content. http://www.cert.fi/en/reports/2009/vulnerability2009085.html LibXML2 is in good company, as Apache Xerces and some version of Sun JDK and JRE are also listed. The WWW.CERT.FI server currently does not reply, so here is the contact information listed on the page: vulncoord <at> ficora.fi Please quote the advisory reference [FICORA #245608] in the subject line -- Michael Ludwig _______________________________________________ xml mailing list, project page http://xmlsoft.org/ [email protected] http://mail.gnome.org/mailman/listinfo/xml
