MGASA-2019-0047

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2019-0047.html

Import Source

https://advisories.mageia.org/MGASA-2019-0047.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2019-0047

Related

Published

2019-01-23T15:50:09Z

Modified

2019-01-23T15:12:05Z

Summary

Updated libxml2 packages fix security vulnerabilities

Details

A flaw was found in libxml2 2.9.8. The xzdecomp function in xzlib.c, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMAMEMLIMIT_ERROR, as demonstrated by xmllint (CVE-2018-9251, CVE-2018-14567).

A null pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 when parsing invalid XPath expression. Applications processing untrusted XSL format inputs with the use of libxml2 library may be vulnerable to denial of service attack due to crash of the application (CVE-2018-14404).

The libxml2 package has been updated to version 2.9.9 to fix these issues and other bugs.

The perl-XML-LibXML package has been rebuilt against the updated libxml2.

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:6 / libxml2

Package

Name: libxml2
Purl: pkg:rpm/mageia/libxml2?distro=mageia-6

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.9.9-1.mga6

Ecosystem specific

{
    "section": "core"
}

Mageia:6 / perl-XML-LibXML

Package

Name: perl-XML-LibXML
Purl: pkg:rpm/mageia/perl-XML-LibXML?distro=mageia-6

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.13.200-1.1.mga6

Ecosystem specific

{
    "section": "core"
}