Source: libxml2 Version: 2.9.7+dfsg-1 Severity: important Tags: security upstream Forwarded: https://bugzilla.gnome.org/show_bug.cgi?id=794914
Hi, The following vulnerability was published for libxml2. I'm currently clarifying the scope for CVE-2018-9251 with MITRE. Basically before e2a9122b8dde53d320750451e9907a7dcb2ca8bb upstrema commit the limiter was disabled effecitively. I'm trying to clarify if thus the scope CVE-2018-9251 should be consider only for libxml2 version which did apply e2a9122b8dde53d320750451e9907a7dcb2ca8bb. The question on e2a9122b8dde53d320750451e9907a7dcb2ca8bb is another one, since it has potential for denial of service, and asked for if that should get a separate CVE id. CVE-2018-9251[0]: | The xz_decomp function in xzlib.c in libxml2 2.9.8, if --with-lzma is | used, allows remote attackers to cause a denial of service (infinite | loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as | demonstrated by xmllint, a different vulnerability than CVE-2015-8035. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-9251 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9251 [1] https://bugzilla.gnome.org/show_bug.cgi?id=794914 Regards, Salvatore
