CVE-2017-0663
Published: 14 June 2017
A remote code execution vulnerability in libxml2 could enable an attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process. This issue is rated as High due to the possibility of remote code execution in an application that uses this library. Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-37104170.
Priority
Medium
CVSS 3 base score: 7.8
Status
| Package | Release | Status |
|---|---|---|
|
android Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Does not exist
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Ignored
(abandoned)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
(trusty was ignored [abandoned])
|
|
|
libxml2 Launchpad, Ubuntu, Debian |
Upstream |
Released
(2.9.4+dfsg1-3.1)
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Not vulnerable
(2.9.4+dfsg1-3.1)
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Released
(2.9.3+dfsg1-1ubuntu0.3)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Released
(2.9.1+dfsg1-3ubuntu4.10)
|
|
|
Patches: Upstream: https://git.gnome.org/browse/libxml2/commit/?id=92b9e8c8b3787068565a1820ba575d042f9eec66 |
||
Notes
| Author | Note |
|---|---|
| tyhicks | Downgrading from high to medium as the invalid write consists of a an enum member within a struct being written with a constant value that's not attacker controlled. I suspect that this is quite difficult to exploit. |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0663
- https://source.android.com/security/bulletin/2017-06-01
- https://ubuntu.com/security/notices/USN-3424-1
- https://ubuntu.com/security/notices/USN-3424-2
- NVD
- Launchpad
- Debian