Source: libxml2 Version: 2.9.1+dfsg1-5 Severity: important Tags: patch security upstream Forwarded: https://bugzilla.gnome.org/show_bug.cgi?id=786696 Control: fixed -1 2.9.7+dfsg-1 Control: block -1 by 895195
Hi, The following vulnerability was published for libxml2. CVE-2017-18258[0]: | The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote | attackers to cause a denial of service (memory consumption) via a | crafted LZMA file, because the decoder functionality does not restrict | memory usage to what is required for a legitimate file. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. It's important though to not apply the upstream commit e2a9122b8dde53d320750451e9907a7dcb2ca8bb without adressing the upstream issue https://bugzilla.gnome.org/show_bug.cgi?id=794914 (otherwise libxml2 will be opened to CVE-2018-9251 as it is now the case for the libxml2 upload to experimental, thus i added a block to indicate that). For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-18258 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18258 [1] https://bugzilla.gnome.org/show_bug.cgi?id=786696 [2] https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb Regards, Salvatore