Public bug reported: http://lists.qt-project.org/pipermail/announce/2013-December/000036.html
Qt Project Security Advisory ---------------------------- Title: XML Entity Expansion Denial of Service Risk Rating: Low CVE: CVE-2013-4549 Platforms: All Modules: QtBase Versions: All versions before 5.2 Author: Richard J. Moore <rich at kde.org> Date: 5 December 2013 Overview -------- QXmlSimpleReader in Qt versions prior to 5.2 supports expansion of internal entities in XML documents without placing restrictions to ensure the document does not cause excessive memory usage. If an application using this API processes untrusted data then the application may use unexpected amounts of memory if a malicious document is processed. Details ------- It is possible to construct XML documents using internal entities that consume large amounts of memory and other resources to process, this is known as the 'Billion Laughs' attack. Qt versions prior to 5.2 did not offer protection against this issue. Impact ------ An application loading untrusted XML data may consume arbitrary amounts of memory and CPU when attempting to parse a maliciously constructed document. ** Affects: qt4-x11 (Ubuntu) Importance: Undecided Status: New ** Affects: qtbase-opensource-src (Ubuntu) Importance: Undecided Status: New ** Affects: qt4-x11 (Ubuntu Precise) Importance: Undecided Status: New ** Affects: qtbase-opensource-src (Ubuntu Precise) Importance: Undecided Status: New ** Affects: qt4-x11 (Ubuntu Quantal) Importance: Undecided Status: New ** Affects: qtbase-opensource-src (Ubuntu Quantal) Importance: Undecided Status: New ** Affects: qt4-x11 (Ubuntu Raring) Importance: Undecided Status: New ** Affects: qtbase-opensource-src (Ubuntu Raring) Importance: Undecided Status: New ** Affects: qt4-x11 (Ubuntu Saucy) Importance: Undecided Status: New ** Affects: qtbase-opensource-src (Ubuntu Saucy) Importance: Undecided Status: New ** Affects: qt4-x11 (Ubuntu Trusty) Importance: Undecided Status: New ** Affects: qtbase-opensource-src (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: qtbase-opensource-src (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1259577 Title: Security: XML Entity Expansion Denial of Service To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/qt4-x11/+bug/1259577/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs