Daniel Berrange discovered that libxml2 incorrectly performs entity
substitution in the doctype prolog, even if the application using
libxml2 disabled any entity substitution. A remote attacker could
provide a specially crafted XML file that, when processed, leads to the
exhaustion of CPU and memory resources or file descriptors.