CVE-2015-0252: Apache Xerces-C XML Parser Crashes on Malformed Input

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: Apache Xerces-C XML Parser library versions
prior to V3.1.2

Description: The Xerces-C XML parser mishandles certain kinds of
malformed input documents, resulting in a segmentation fault during
a parse operation. The bug does not appear to allow for remote code
execution, but is a denial of service attack that in many applications
may allow for an unauthenticated attacker to supply malformed input
and cause a crash.

Mitigation: Applications that are using library versions older than
V3.1.2 should upgrade as soon as possible. Distributors of older versions
should apply the patches from this subversion revision:

http://svn.apache.org/viewvc?view=revision&revision=1667870

Credit: This issue was reported independently by Anton Rager and Jonathan
Brossard from the Salesforce.com Product Security Team and by Ben Laurie
of Google.

References:
http://xerces.apache.org/xerces-c/secadv/CVE-2015-0252.txt