CVE-2015-8035
Published: 2 November 2015
The xz_decomp function in xzlib.c in libxml2 2.9.1 does not properly detect compression errors, which allows context-dependent attackers to cause a denial of service (process hang) via crafted XML data.
Notes
Author | Note |
---|---|
tyhicks | The test xz file does not trigger the DoS in our 2.9.2 builds. xz support was accidentally disabled in 2.9.2. Marking the devel release as 'needed' so that the build system fix (18b8988511b0954272cac4d6c3e6724f9dbf6e0a) doesn't slip in without this CVE fix. |
Priority
Status
Package | Release | Status |
---|---|---|
libxml2 Launchpad, Ubuntu, Debian |
precise |
Not vulnerable
(xz support not present)
|
trusty |
Released
(2.9.1+dfsg1-3ubuntu4.5)
|
|
upstream |
Needs triage
|
|
vivid |
Not vulnerable
(xz support disabled)
|
|
wily |
Not vulnerable
(xz support disabled)
|
|
Patches: upstream: https://git.gnome.org/browse/libxml2/commit/?id=f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 |