FreeBSD : qt4-xml -- XML Entity Expansion Denial of Service (89709e58-d497-11e3-a3d5-5453ed2e2b49)

This script is Copyright (C) 2014 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing a security-related update.

Description :

Richard J. Moore reports :

QXmlSimpleReader in Qt versions prior to 5.2 supports expansion of
internal entities in XML documents without placing restrictions to
ensure the document does not cause excessive memory usage. If an
application using this API processes untrusted data then the
application may use unexpected amounts of memory if a malicious
document is processed.

It is possible to construct XML documents using internal entities that
consume large amounts of memory and other resources to process, this
is known as the 'Billion Laughs' attack. Qt versions prior to 5.2 did
not offer protection against this issue.

See also :

http://www.nessus.org/u?6cfa8350
http://www.nessus.org/u?3dd5c046

Solution :

Update the affected package.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 73881 ()

Bugtraq ID:

CVE ID: CVE-2013-4549

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now