[xml/sgml-pkgs] Bug#895195: libxml2: CVE-2018-9251

Salvatore Bonaccorso carnil at debian.org
Sun Apr 8 19:08:57 UTC 2018

Control: severity -1 serious

On Sun, Apr 08, 2018 at 11:42:11AM +0200, Salvatore Bonaccorso wrote:
> I'm currently clarifying the scope for CVE-2018-9251 with MITRE.
> Basically before e2a9122b8dde53d320750451e9907a7dcb2ca8bb upstrema
> commit the limiter was disabled effecitively. I'm trying to clarify if
> thus the scope CVE-2018-9251 should be consider only for libxml2
> version which did apply e2a9122b8dde53d320750451e9907a7dcb2ca8bb. The
> question on e2a9122b8dde53d320750451e9907a7dcb2ca8bb is another one,
> since it has potential for denial of service, and asked for if that
> should get a separate CVE id.

This has been clarified. So CVE-2018-9251 is only an issue if upstream
commit e2a9122b8dde53d320750451e9907a7dcb2ca8bb has been applied. See
details in https://bugzilla.gnome.org/show_bug.cgi?id=794914 .

I'm raising the severity to RC so that (since it only affects
experimental), does not enter unstable in this form.

There is though no upstream fix accepted yet, although the reporter
has proposed a solution.


More information about the debian-xml-sgml-pkgs mailing list