Security: XML Entity Expansion Denial of Service

Bug #1259577 reported by Jonathan Riddell on 2013-12-10
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
qt4-x11 (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned
Quantal
Undecided
Unassigned
Raring
Undecided
Unassigned
Saucy
Undecided
Unassigned
Trusty
Undecided
Unassigned
qtbase-opensource-src (Ubuntu)
Undecided
Unassigned
Raring
Undecided
Unassigned
Saucy
Undecided
Unassigned
Trusty
Undecided
Unassigned

Bug Description

http://lists.qt-project.org/pipermail/announce/2013-December/000036.html

Qt Project Security Advisory
----------------------------

Title: XML Entity Expansion Denial of Service
Risk Rating: Low
CVE: CVE-2013-4549
Platforms: All
Modules: QtBase
Versions: All versions before 5.2
Author: Richard J. Moore <rich at kde.org>
Date: 5 December 2013

Overview
--------

QXmlSimpleReader in Qt versions prior to 5.2 supports expansion of internal
entities in XML documents without placing restrictions to ensure the document
does not cause excessive memory usage. If an application using this API
processes untrusted data then the application may use unexpected amounts of
memory if a malicious document is processed.

Details
-------

It is possible to construct XML documents using internal entities that consume
large amounts of memory and other resources to process, this is known as the
'Billion Laughs' attack. Qt versions prior to 5.2 did not offer protection
against this issue.

Impact
------

An application loading untrusted XML data may consume arbitrary amounts of
memory and CPU when attempting to parse a maliciously constructed document.

CVE References

no longer affects: qtbase-opensource-src (Ubuntu Precise)
no longer affects: qtbase-opensource-src (Ubuntu Quantal)
tags: added: patch
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qtbase-opensource-src - 5.0.2+dfsg1-7ubuntu13

---------------
qtbase-opensource-src (5.0.2+dfsg1-7ubuntu13) trusty; urgency=low

  * SECURITY UPDATE: [XML Entity Expansion Denial of Service] (LP: #1259577).
    - add limit in src/xml/sax/qxml.cpp
    - http://lists.qt-project.org/pipermail/announce/2013-December/000036.html
    - CVE-2013-4549
 -- Jonathan Riddell <email address hidden> Tue, 10 Dec 2013 15:08:17 +0000

Changed in qtbase-opensource-src (Ubuntu Trusty):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qt4-x11 - 4:4.8.4+dfsg-0ubuntu20

---------------
qt4-x11 (4:4.8.4+dfsg-0ubuntu20) trusty; urgency=low

  * SECURITY UPDATE: [XML Entity Expansion Denial of Service] (LP: #1259577).
    - Add CVE-2013-4549.patch
    - add limit in src/xml/sax/qxml.cpp
    - http://lists.qt-project.org/pipermail/announce/2013-December/000036.html
    - CVE-2013-4549
 -- Jonathan Riddell <email address hidden> Tue, 10 Dec 2013 16:30:00 +0000

Changed in qt4-x11 (Ubuntu Trusty):
status: New → Fix Released
Jonathan Riddell (jr) wrote :
Jonathan Riddell (jr) wrote :
Jonathan Riddell (jr) wrote :
Jonathan Riddell (jr) wrote :
Marc Deslauriers (mdeslaur) wrote :

ACK on the debdiffs, thanks! I have uploaded them to the security team PPA to build and test, and will release them shortly.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qt4-x11 - 4:4.8.3+dfsg-0ubuntu3.2

---------------
qt4-x11 (4:4.8.3+dfsg-0ubuntu3.2) quantal-security; urgency=low

  * SECURITY UPDATE: [XML Entity Expansion Denial of Service] (LP: #1259577).
    - Add CVE-2013-4549.diff
    - add limit in src/xml/sax/qxml.cpp
    - http://lists.qt-project.org/pipermail/announce/2013-December/000036.html
    - CVE-2013-4549
 -- Jonathan Riddell <email address hidden> Tue, 10 Dec 2013 22:44:01 +0000

Changed in qt4-x11 (Ubuntu Quantal):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qt4-x11 - 4:4.8.4+dfsg-0ubuntu9.5

---------------
qt4-x11 (4:4.8.4+dfsg-0ubuntu9.5) raring-security; urgency=low

  * SECURITY UPDATE: [XML Entity Expansion Denial of Service] (LP: #1259577).
    - Add CVE-2013-4549.diff
    - add limit in src/xml/sax/qxml.cpp
    - http://lists.qt-project.org/pipermail/announce/2013-December/000036.html
    - CVE-2013-4549
 -- Jonathan Riddell <email address hidden> Tue, 10 Dec 2013 20:51:37 +0000

Changed in qt4-x11 (Ubuntu Raring):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qtbase-opensource-src - 5.0.1+dfsg-0ubuntu4.1

---------------
qtbase-opensource-src (5.0.1+dfsg-0ubuntu4.1) raring-security; urgency=low

  * SECURITY UPDATE: [XML Entity Expansion Denial of Service] (LP: #1259577).
    - Add CVE-2013-4549-xml-expansion.diff
    - add limit in src/xml/sax/qxml.cpp
    - http://lists.qt-project.org/pipermail/announce/2013-December/000036.html
    - CVE-2013-4549
 -- Jonathan Riddell <email address hidden> Tue, 10 Dec 2013 15:59:04 +0000

Changed in qtbase-opensource-src (Ubuntu Raring):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qt4-x11 - 4:4.8.4+dfsg-0ubuntu18.1

---------------
qt4-x11 (4:4.8.4+dfsg-0ubuntu18.1) saucy-security; urgency=low

  * SECURITY UPDATE: [XML Entity Expansion Denial of Service] (LP: #1259577).
    - Add CVE-2013-4549.diff
    - add limit in src/xml/sax/qxml.cpp
    - http://lists.qt-project.org/pipermail/announce/2013-December/000036.html
    - CVE-2013-4549
 -- Jonathan Riddell <email address hidden> Tue, 10 Dec 2013 16:54:32 +0000

Changed in qt4-x11 (Ubuntu Saucy):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qt4-x11 - 4:4.8.1-0ubuntu4.5

---------------
qt4-x11 (4:4.8.1-0ubuntu4.5) precise-security; urgency=low

  * SECURITY UPDATE: [XML Entity Expansion Denial of Service] (LP: #1259577).
    - Add CVE-2013-4549.diff
    - add limit in src/xml/sax/qxml.cpp
    - http://lists.qt-project.org/pipermail/announce/2013-December/000036.html
    - CVE-2013-4549
 -- Jonathan Riddell <email address hidden> Tue, 10 Dec 2013 22:49:13 +0000

Changed in qt4-x11 (Ubuntu Precise):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qtbase-opensource-src - 5.0.2+dfsg1-7ubuntu11.1

---------------
qtbase-opensource-src (5.0.2+dfsg1-7ubuntu11.1) saucy-security; urgency=low

  * SECURITY UPDATE: [XML Entity Expansion Denial of Service] (LP: #1259577).
    - Add CVE-2013-4549-xml-expansion.diff
    - add limit in src/xml/sax/qxml.cpp
    - http://lists.qt-project.org/pipermail/announce/2013-December/000036.html
    - CVE-2013-4549
 -- Jonathan Riddell <email address hidden> Tue, 10 Dec 2013 15:34:35 +0000

Changed in qtbase-opensource-src (Ubuntu Saucy):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers