FreeBSD : qt4-xml -- XML Entity Expansion Denial of Service (89709e58-d497-11e3-a3d5-5453ed2e2b49)
Medium Nessus Plugin ID 73881
SynopsisThe remote FreeBSD host is missing a security-related update.
DescriptionRichard J. Moore reports :
QXmlSimpleReader in Qt versions prior to 5.2 supports expansion of internal entities in XML documents without placing restrictions to ensure the document does not cause excessive memory usage. If an application using this API processes untrusted data then the application may use unexpected amounts of memory if a malicious document is processed.
It is possible to construct XML documents using internal entities that consume large amounts of memory and other resources to process, this is known as the 'Billion Laughs' attack. Qt versions prior to 5.2 did not offer protection against this issue.
SolutionUpdate the affected package.