FreeBSD : qt4-xml -- XML Entity Expansion Denial of Service (89709e58-d497-11e3-a3d5-5453ed2e2b49)

Medium Nessus Plugin ID 73881


The remote FreeBSD host is missing a security-related update.


Richard J. Moore reports :

QXmlSimpleReader in Qt versions prior to 5.2 supports expansion of internal entities in XML documents without placing restrictions to ensure the document does not cause excessive memory usage. If an application using this API processes untrusted data then the application may use unexpected amounts of memory if a malicious document is processed.

It is possible to construct XML documents using internal entities that consume large amounts of memory and other resources to process, this is known as the 'Billion Laughs' attack. Qt versions prior to 5.2 did not offer protection against this issue.


Update the affected package.

See Also

Plugin Details

Severity: Medium

ID: 73881

File Name: freebsd_pkg_89709e58d49711e3a3d55453ed2e2b49.nasl

Version: $Revision: 1.1 $

Type: local

Published: 2014/05/06

Modified: 2014/05/06

Dependencies: 12634

Risk Information

Risk Factor: Medium


Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:qt4-xml, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 2014/05/05

Vulnerability Publication Date: 2013/12/05

Reference Information

CVE: CVE-2013-4549