[ILUG] is libxml(2) insecure?
Kenn Humborg
kenn at bluetree.ie
Fri Oct 29 09:49:55 IST 2004
> 3. Is the XML library a security risk? Would it be ok use it for
> configuration
> storage/processing?
Fedora libxml2 security advisory:
http://lwn.net/Articles/108832/
If the config files are only editable by root anyway, then there
isn't any additional exposure. If a privileged process is
reading XML files generated by non-privileges users, then there
is the potential of a privilege-elevation attack (maybe not with
this particular vulnerability, but there could be others).
I'd say if you don't need the flexibility and structure of an
XML format, go with the simpler shell script setting env vars
format.
Later,
Kenn
More information about the ILUG
mailing list