Note: This is an archival copy of Security Sun Alert 201514 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001131.1.
Solaris 9 Operating System
Solaris 10 Operating System
Date of Workaround Release
Date of Resolved Release
a security vulnerability in the libxml2 library (see libxml2(3)) bundled with Solaris 9 and Solaris 10 (see below for full details)
There is a security vulnerability in the libxml2 library (see libxml2(3)) bundled with Solaris 9 and Solaris 10 which may impact applications making use of this library. The precise impact will vary depending on the application, but this vulnerability may allow a local or remote unprivileged user who provides a specially crafted XML file to cause a denial of service (DoS) to the application which is using the libxml2 library (or potentially to the system as a whole as the application may consume excessive resources).
Additional information regarding this issue is available at:
2. Contributing Factors
These issues can occur in the following releases:
Note: Solaris 8 does not include support for libxml2 and is not impacted by this issue.
If the described issue is exploited, the application which makes use of the libxml2 library to process the crafted XML file may be unresponsive, possibly consuming all available CPU resources while looping continuously. Commands such as prstat(1M) can be used to determine the utilization of system resources, for example:
$ prstat -s cpu [...]
Please see Resolution below.
This issue is addressed in the following releases:
Copyright 2000-2008 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.
11-Feb-2008: Updated Contributing Factors, Relief/Workaround and Resolution sections. Now Resolved.
This solution has no attachment