[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Clarify status for CVE-2018-9251/libxml2
Salvatore Bonaccorso
carnil at debian.org
Sun Apr 8 20:04:04 BST 2018
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
19691629 by Salvatore Bonaccorso at 2018-04-08T21:03:00+02:00
Clarify status for CVE-2018-9251/libxml2
Add CVE-2017-18258 at the same time. The situation has been clarified.
So CVE-2018-9251 is only an issue if upstream commit
https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb
is applied (which was assigned CVE-2017-18258).
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1342,13 +1342,21 @@ CVE-2018-9252 (JasPer 2.0.14 allows denial of service via a reachable assertion
NOTE: https://github.com/mdadams/jasper/issues/173
NOTE: Negligable impact
CVE-2018-9251 (The xz_decomp function in xzlib.c in libxml2 2.9.8, if --with-lzma is ...)
- - libxml2 <unfixed> (bug #895195)
+ - libxml2 <not-affected> (Fix for CVE-2017-18258 not applied, cf. bug #895195)
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=794914
NOTE: Before upstream commit https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb
NOTE: the memlimit argument to lzma_auto_decoder was set to UINT64_MAX, possibly
NOTE: allowing a malicious LZMA compressed files to consume large amounts of memory
- NOTE: when decompressed. After upstream commit e2a9122b8dde53d320750451e9907a7dcb2ca8bb
- NOTE: with xz_decomp is more prominently uncovered.
+ NOTE: when decompressed. Setting memlimit to UINT64_MAX the limiter is effectively
+ NOTE: disabled and "lzma_auto_decoder(&state->strm, UINT64_MAX, 0)" can never result
+ NOTE: in LZMA_MEMLIMIT_ERROR outcome because there is no way to exceed UINT64_MAX.
+ NOTE: Thus CVE-2018-9251 is only affecting libxml2 if e2a9122b8dde53d320750451e9907a7dcb2ca8bb
+CVE-2017-18258 [Set memory limit for LZMA decompression]
+ - libxml2 <unfixed>
+ NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=786696
+ NOTE: Fixed by: https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb
+ NOTE: When fixing this issue make sure to not open CVE-2018-9251 and apply
+ NOTE: the fix for CVE-2018-9251 / https://bugzilla.gnome.org/show_bug.cgi?id=794914
CVE-2018-9250
RESERVED
CVE-2018-9249 (FiberHome VDSL2 Modem HG 150-UB devices allow authentication bypass by ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/196916297e9eb45b27cf9291d94e40229f9e55fe
---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/196916297e9eb45b27cf9291d94e40229f9e55fe
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20180408/74c5563a/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list