On 2022-02-19 18:01:52 +0100, Mattia Rizzolo wrote: > On Thu, Feb 10, 2022 at 01:08:33PM +0100, Vincent Lefevre wrote: > > This is no different than CVE-2013-0338 and CVE-2013-0339[*]. The > > point is that from a small document, one can exhaust the memory > > of the machine. CVE-2013-0338 and CVE-2013-0339 are about entity > > expansion, but there are the same consequences with just loading > > data in memory. > > > > [*] https://www.openwall.com/lists/oss-security/2013/02/22/3 > > If you believe so, and you confirmed that it hasn't been fixed in the > past 15 years, could you please either (or both): > * report it to mitre's CVE form > * report it in https://gitlab.gnome.org/GNOME/libxml2/-/issues > ?
I'll test again (I've been using a fake DTD for the past 15 years). -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
