[xml/sgml-pkgs] Bug#895245: libxml2: CVE-2017-18258: Set memory limit for LZMA decompression

Salvatore Bonaccorso carnil at debian.org
Sun Apr 8 19:17:16 UTC 2018

Source: libxml2
Version: 2.9.1+dfsg1-5
Severity: important
Tags: patch security upstream
Forwarded: https://bugzilla.gnome.org/show_bug.cgi?id=786696
Control: fixed -1 2.9.7+dfsg-1
Control: block -1 by 895195


The following vulnerability was published for libxml2.

| The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote
| attackers to cause a denial of service (memory consumption) via a
| crafted LZMA file, because the decoder functionality does not restrict
| memory usage to what is required for a legitimate file.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

It's important though to not apply the upstream commit
e2a9122b8dde53d320750451e9907a7dcb2ca8bb without adressing the
upstream issue https://bugzilla.gnome.org/show_bug.cgi?id=794914
(otherwise libxml2 will be opened to CVE-2018-9251 as it is now the
case for the libxml2 upload to experimental, thus i added a block to
indicate that).

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-18258
[1]  https://bugzilla.gnome.org/show_bug.cgi?id=786696
[2] https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb


More information about the debian-xml-sgml-pkgs mailing list