[xml/sgml-pkgs] Bug#870870: libxml2: CVE-2017-0663: Heap buffer overflow in xmlAddID

Salvatore Bonaccorso carnil at debian.org
Sat Aug 5 21:01:53 UTC 2017


Source: libxml2
Version: 2.9.1+dfsg1-5
Severity: important
Tags: patch security upstream
Forwarded: https://bugzilla.gnome.org/show_bug.cgi?id=780228

Hi,

the following vulnerability was published for libxml2.

CVE-2017-0663[0]:
| A remote code execution vulnerability in libxml2 could enable an
| attacker using a specially crafted file to execute arbitrary code
| within the context of an unprivileged process. This issue is rated as
| High due to the possibility of remote code execution in an application
| that uses this library. Product: Android. Versions: 4.4.4, 5.0.2,
| 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-37104170.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-0663
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0663
[1] https://bugzilla.gnome.org/show_bug.cgi?id=780228
[2] https://git.gnome.org/browse/libxml2/commit/?id=92b9e8c8b3787068565a1820ba575d042f9eec66
[3] https://bugzilla.redhat.com/show_bug.cgi?id=1462225
    https://bugzilla.redhat.com/show_bug.cgi?id=1462225#c2
    https://bugzilla.redhat.com/show_bug.cgi?id=1462225#c3
[4] https://bugzilla.novell.com/show_bug.cgi?id=1044337

Regards,
Salvatore



More information about the debian-xml-sgml-pkgs mailing list