Your submission was sent successfully! Close

CVE-2015-8035

Published: 2 November 2015

The xz_decomp function in xzlib.c in libxml2 2.9.1 does not properly detect compression errors, which allows context-dependent attackers to cause a denial of service (process hang) via crafted XML data.

Notes

AuthorNote
tyhicks
The test xz file does not trigger the DoS in our 2.9.2 builds.
xz support was accidentally disabled in 2.9.2. Marking the devel release
as 'needed' so that the build system fix
(18b8988511b0954272cac4d6c3e6724f9dbf6e0a) doesn't slip in without this
CVE fix.
Priority

Medium

Status

Package Release Status
libxml2
Launchpad, Ubuntu, Debian
precise Not vulnerable
(xz support not present)
trusty
Released (2.9.1+dfsg1-3ubuntu4.5)
upstream Needs triage

vivid Not vulnerable
(xz support disabled)
wily Not vulnerable
(xz support disabled)
Patches:
upstream: https://git.gnome.org/browse/libxml2/commit/?id=f0709e3ca8f8947f2d91ed34e92e38a4c23eae63