[Pkg-rust-maintainers] Bug#1037534: rust-xml-rs: CVE-2023-34411
Salvatore Bonaccorso
carnil at debian.org
Tue Jun 13 21:59:45 BST 2023
Hi,
On Tue, Jun 13, 2023 at 10:55:24PM +0200, Salvatore Bonaccorso wrote:
> Source: rust-xml-rs
> Version: 0.8.3-1
> Severity: important
> Tags: security upstream
> Forwarded: https://github.com/netvl/xml-rs/pull/226
> X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
>
> Hi,
>
> The following vulnerability was published for rust-xml-rs.
>
> CVE-2023-34411[0]:
> | The xml-rs crate before 0.8.14 for Rust and Crab allows a denial of
> | service (panic) via an invalid <! token (such as <!DOCTYPEs/%<!A
> | nesting) in an XML document. The earliest affected version is 0.8.9.
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2023-34411
> https://www.cve.org/CVERecord?id=CVE-2023-34411
> [1] https://github.com/netvl/xml-rs/pull/226
> [2] https://github.com/netvl/xml-rs/commit/c09549a187e62d39d40467f129e64abf32efc35c
Actually, the issue is introduced with
https://github.com/netvl/xml-rs/commit/014d808be900c85a0afc5ccdfe668be040d175aa
in 0.8.9 so no Debian version would be affected.
If you can confirm, please close the bug!
Regards,
Salvatore
More information about the Pkg-rust-maintainers
mailing list