Your submission was sent successfully! Close

CVE-2017-0663

Published: 14 June 2017

A remote code execution vulnerability in libxml2 could enable an attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process. This issue is rated as High due to the possibility of remote code execution in an application that uses this library. Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-37104170.

Priority

Medium

CVSS 3 base score: 7.8

Status

Package Release Status
android
Launchpad, Ubuntu, Debian
artful Does not exist

bionic Does not exist

precise Does not exist

trusty Does not exist
(trusty was ignored [abandoned])
upstream Needs triage

xenial Ignored
(abandoned)
yakkety Ignored
(reached end-of-life)
zesty Ignored
(reached end-of-life)
libxml2
Launchpad, Ubuntu, Debian
artful Not vulnerable
(2.9.4+dfsg1-3.1)
bionic Not vulnerable
(2.9.4+dfsg1-3.1)
precise
Released (2.7.8.dfsg-5.1ubuntu4.18)
trusty
Released (2.9.1+dfsg1-3ubuntu4.10)
upstream
Released (2.9.4+dfsg1-3.1)
xenial
Released (2.9.3+dfsg1-1ubuntu0.3)
yakkety Ignored
(reached end-of-life)
zesty
Released (2.9.4+dfsg1-2.2ubuntu0.1)

Notes

AuthorNote
tyhicks
Downgrading from high to medium as the invalid write consists of a
an enum member within a struct being written with a constant value that's not
attacker controlled. I suspect that this is quite difficult to exploit.

References

Bugs