CVE-2017-0663
Published: 14 June 2017
A remote code execution vulnerability in libxml2 could enable an attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process. This issue is rated as High due to the possibility of remote code execution in an application that uses this library. Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-37104170.
Notes
| Author | Note |
|---|---|
| tyhicks | Downgrading from high to medium as the invalid write consists of a an enum member within a struct being written with a constant value that's not attacker controlled. I suspect that this is quite difficult to exploit. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
android Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Does not exist
|
|
| trusty |
Does not exist
(trusty was ignored [abandoned])
|
|
| upstream |
Needs triage
|
|
| xenial |
Ignored
(abandoned)
|
|
| yakkety |
Ignored
(end of life)
|
|
| zesty |
Ignored
(end of life)
|
|
|
libxml2 Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(2.9.4+dfsg1-3.1)
|
| bionic |
Not vulnerable
(2.9.4+dfsg1-3.1)
|
|
| trusty |
Released
(2.9.1+dfsg1-3ubuntu4.10)
|
|
| upstream |
Released
(2.9.4+dfsg1-3.1, 2.9.5)
|
|
| xenial |
Released
(2.9.3+dfsg1-1ubuntu0.3)
|
|
| yakkety |
Ignored
(end of life)
|
|
| zesty |
Released
(2.9.4+dfsg1-2.2ubuntu0.1)
|
|
|
Patches: upstream: https://git.gnome.org/browse/libxml2/commit/?id=92b9e8c8b3787068565a1820ba575d042f9eec66 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.8 |
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |