CVE-2007-6284 - Resource Management Errors vulnerability in multiple products

Publication

2008-01-12

Last modification

2018-10-15

Summary

The xmlCurrentChar function in libxml2 before 2.6.31 allows context-dependent attackers to cause a denial of service (infinite loop) via XML containing invalid UTF-8 sequences.

Description

The libxml2 library is prone to a denial-of-service vulnerability because of an infinite-loop flaw.Exploiting this issue allows remote attackers to cause denial-of-service conditions in the context of an application using the vulnerable library.Versions prior to libxml2 2.6.31 are affected by this issue.

Solution

The vendor released an upgraded version of libxml2 along with patches. Please see the references for more information. VideoLAN VLC media player 0.8.6f VideoLAN VLC media player 0.8.6h http://www.videolan.org/vlc/ VideoLAN VLC media player 0.8.6b VideoLAN VLC media player 0.8.6h http://www.videolan.org/vlc/ VideoLAN VLC media player 0.8.6e VideoLAN VLC media player 0.8.6h http://www.videolan.org/vlc/ VideoLAN VLC media player 0.8.6 g VideoLAN VLC media player 0.8.6h http://www.videolan.org/vlc/ VideoLAN VLC media player 0.8.6 d VideoLAN VLC media player 0.8.6h http://www.videolan.org/vlc/ VideoLAN VLC media player 0.8.6 VideoLAN VLC media player 0.8.6h http://www.videolan.org/vlc/

Exploit

Currently we are not aware of any working exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: info@vumetric.com.

Classification

CWE-399 - Resource Management Errors

Risk level (CVSS AV:N/AC:L/Au:N/C:N/I:N/A:P)

Medium

5.0

Access Vector

  • Network
  • Adjacent Network
  • Local

Access Complexity

  • Low
  • Medium
  • High

Authentication

  • None
  • Single
  • Multiple

Confident. Impact

  • Complete
  • Partial
  • None

Integrity Impact

  • Complete
  • Partial
  • None

OVAL definition

{
    "accepted": "2013-04-29T04:14:51.422-04:00",
    "class": "vulnerability",
    "contributors": [
        {
            "name": "Aharon Chernin",
            "organization": "SCAP.com, LLC"
        },
        {
            "name": "Dragos Prisaca",
            "organization": "G2, Inc."
        }
    ],
    "definition_extensions": [
        {
            "comment": "The operating system installed on the system is Red Hat Enterprise Linux 3",
            "oval": "oval:org.mitre.oval:def:11782"
        },
        {
            "comment": "CentOS Linux 3.x",
            "oval": "oval:org.mitre.oval:def:16651"
        },
        {
            "comment": "The operating system installed on the system is Red Hat Enterprise Linux 4",
            "oval": "oval:org.mitre.oval:def:11831"
        },
        {
            "comment": "CentOS Linux 4.x",
            "oval": "oval:org.mitre.oval:def:16636"
        },
        {
            "comment": "Oracle Linux 4.x",
            "oval": "oval:org.mitre.oval:def:15990"
        },
        {
            "comment": "The operating system installed on the system is Red Hat Enterprise Linux 5",
            "oval": "oval:org.mitre.oval:def:11414"
        },
        {
            "comment": "The operating system installed on the system is CentOS Linux 5.x",
            "oval": "oval:org.mitre.oval:def:15802"
        },
        {
            "comment": "Oracle Linux 5.x",
            "oval": "oval:org.mitre.oval:def:15459"
        }
    ],
    "description": "The xmlCurrentChar function in libxml2 before 2.6.31 allows context-dependent attackers to cause a denial of service (infinite loop) via XML containing invalid UTF-8 sequences.",
    "family": "unix",
    "id": "oval:org.mitre.oval:def:11594",
    "status": "accepted",
    "submitted": "2010-07-09T03:56:16-04:00",
    "title": "The xmlCurrentChar function in libxml2 before 2.6.31 allows context-dependent attackers to cause a denial of service (infinite loop) via XML containing invalid UTF-8 sequences.",
    "version": "24"
}
{
    "accepted": "2008-03-24T04:00:40.950-04:00",
    "class": "vulnerability",
    "contributors": [
        {
            "name": "Pai Peng",
            "organization": "Hewlett-Packard"
        }
    ],
    "definition_extensions": [
        {
            "comment": "Solaris 9 (SPARC) is installed",
            "oval": "oval:org.mitre.oval:def:1457"
        },
        {
            "comment": "Solaris 10 (SPARC) is installed",
            "oval": "oval:org.mitre.oval:def:1440"
        },
        {
            "comment": "Solaris 9 (x86) is installed",
            "oval": "oval:org.mitre.oval:def:1683"
        },
        {
            "comment": "Solaris 10 (x86) is installed",
            "oval": "oval:org.mitre.oval:def:1926"
        }
    ],
    "description": "The xmlCurrentChar function in libxml2 before 2.6.31 allows context-dependent attackers to cause a denial of service (infinite loop) via XML containing invalid UTF-8 sequences.",
    "family": "unix",
    "id": "oval:org.mitre.oval:def:5216",
    "status": "accepted",
    "submitted": "2008-02-12T08:48:33.000-05:00",
    "title": "Security Vulnerability in the libxml2 Library May Lead to a Denial of Service (DoS)",
    "version": "35"
}

External references