[xml/sgml-pkgs] Bug#895245: libxml2: CVE-2017-18258: Set memory limit for LZMA decompression
carnil at debian.org
Sun Apr 8 19:17:16 UTC 2018
Tags: patch security upstream
Control: fixed -1 2.9.7+dfsg-1
Control: block -1 by 895195
The following vulnerability was published for libxml2.
| The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote
| attackers to cause a denial of service (memory consumption) via a
| crafted LZMA file, because the decoder functionality does not restrict
| memory usage to what is required for a legitimate file.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
It's important though to not apply the upstream commit
e2a9122b8dde53d320750451e9907a7dcb2ca8bb without adressing the
upstream issue https://bugzilla.gnome.org/show_bug.cgi?id=794914
(otherwise libxml2 will be opened to CVE-2018-9251 as it is now the
case for the libxml2 upload to experimental, thus i added a block to
For further information see:
More information about the debian-xml-sgml-pkgs