CVE-2013-1864
Description
The Portable Tool Library (aka PTLib) before 2.10.10, as used in Ekiga before 4.0.1, does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted PXML document containing a large number of nested entity references, aka a "billion laughs attack."
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| opalvoip | portable_tool_library | 2.10.1 | |
| opalvoip | portable_tool_library | 2.10.2 | |
| opalvoip | portable_tool_library | 2.10.7 | |
| opalvoip | portable_tool_library | 2.10.9 | |
| ekiga | ekiga | {"endIncluding":"4.0.0"} | |
| suse | suse_linux_enterprise_software_development_kit | 11.0 | |
References
- http://lists.fedoraproject.org/pipermail/package-announce/2013-March/099553.html
- http://osvdb.org/91439
- http://seclists.org/oss-sec/2013/q1/674
- http://secunia.com/advisories/52659
- http://sourceforge.net/p/opalvoip/code/28856
- http://www.ekiga.org/news/2013-02-21/ekiga-4.0.1-stable-available
- http://www.securityfocus.com/bid/58520
- https://exchange.xforce.ibmcloud.com/vulnerabilities/82885
- https://www.suse.com/support/update/announcement/2014/suse-su-20140237-1.html
- http://lists.fedoraproject.org/pipermail/package-announce/2013-March/099553.html
- http://osvdb.org/91439
- http://seclists.org/oss-sec/2013/q1/674
- http://secunia.com/advisories/52659
- http://sourceforge.net/p/opalvoip/code/28856
- http://www.ekiga.org/news/2013-02-21/ekiga-4.0.1-stable-available
- http://www.securityfocus.com/bid/58520
- https://exchange.xforce.ibmcloud.com/vulnerabilities/82885
- https://www.suse.com/support/update/announcement/2014/suse-su-20140237-1.html
CWEs
CWE-119
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.