[xml/sgml-pkgs] Bug#895195: libxml2: CVE-2018-9251

Salvatore Bonaccorso carnil at debian.org
Sun Apr 8 09:42:11 UTC 2018

Source: libxml2
Version: 2.9.7+dfsg-1
Severity: important
Tags: security upstream
Forwarded: https://bugzilla.gnome.org/show_bug.cgi?id=794914


The following vulnerability was published for libxml2.

I'm currently clarifying the scope for CVE-2018-9251 with MITRE.
Basically before e2a9122b8dde53d320750451e9907a7dcb2ca8bb upstrema
commit the limiter was disabled effecitively. I'm trying to clarify if
thus the scope CVE-2018-9251 should be consider only for libxml2
version which did apply e2a9122b8dde53d320750451e9907a7dcb2ca8bb. The
question on e2a9122b8dde53d320750451e9907a7dcb2ca8bb is another one,
since it has potential for denial of service, and asked for if that
should get a separate CVE id.

| The xz_decomp function in xzlib.c in libxml2 2.9.8, if --with-lzma is
| used, allows remote attackers to cause a denial of service (infinite
| loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as
| demonstrated by xmllint, a different vulnerability than CVE-2015-8035.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-9251
[1] https://bugzilla.gnome.org/show_bug.cgi?id=794914


More information about the debian-xml-sgml-pkgs mailing list