[ASA-201810-3] libxml2: denial of service
Arch Linux Security Advisory ASA-201810-3 ========================================= Severity: Medium Date : 2018-10-01 CVE-ID : CVE-2018-9251 Package : libxml2 Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-672 Summary ======= The package libxml2 before version 2.9.8-5 is vulnerable to denial of service. Resolution ========== Upgrade to 2.9.8-5. # pacman -Syu "libxml2>=2.9.8-5" The problem has been fixed upstream but no release is available yet. Workaround ========== None. Description =========== A security issue has been found in libxml2 <= 2.9.8 compiled with LZMA support enabled, in the xz_decomp function in xzlib.c. This flaw allows a remote attacker to cause a denial of service via an infinite loop, using a crafted XML payload that triggers LZMA_MEMLIMIT_ERROR. Impact ====== A remote attacker is able to cause a denial of service by parsing a specially crafted XML payload. References ========== https://bugzilla.gnome.org/show_bug.cgi?id=794914 https://gitlab.gnome.org/GNOME/libxml2/commit/2240fbf5912054af025fb6e01e2637... https://security.archlinux.org/CVE-2018-9251
participants (1)
-
Jelle van der Waa