CVE-2017-0663

Published: 14 June 2017

A remote code execution vulnerability in libxml2 could enable an attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process. This issue is rated as High due to the possibility of remote code execution in an application that uses this library. Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-37104170.

Priority

Medium

CVSS 3 base score: 7.8

Status

Package Release Status
android
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Ignored
(abandoned)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was ignored [abandoned])
libxml2
Launchpad, Ubuntu, Debian
Upstream
Released (2.9.4+dfsg1-3.1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(2.9.4+dfsg1-3.1)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (2.9.3+dfsg1-1ubuntu0.3)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (2.9.1+dfsg1-3ubuntu4.10)
Patches:
Upstream: https://git.gnome.org/browse/libxml2/commit/?id=92b9e8c8b3787068565a1820ba575d042f9eec66

Notes

AuthorNote
tyhicks
Downgrading from high to medium as the invalid write consists of a
an enum member within a struct being written with a constant value that's not
attacker controlled. I suspect that this is quite difficult to exploit.

References

Bugs