Source: libxml2
Version: 2.9.1+dfsg1-5
Severity: important
Tags: patch security upstream
Control: fixed -1 2.9.7+dfsg-1
Control: block -1 by 895195


The following vulnerability was published for libxml2.

| The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote
| attackers to cause a denial of service (memory consumption) via a
| crafted LZMA file, because the decoder functionality does not restrict
| memory usage to what is required for a legitimate file.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

It's important though to not apply the upstream commit
e2a9122b8dde53d320750451e9907a7dcb2ca8bb without adressing the
upstream issue
(otherwise libxml2 will be opened to CVE-2018-9251 as it is now the
case for the libxml2 upload to experimental, thus i added a block to
indicate that).

For further information see:



Reply via email to