CVE-2017-0663
Published: 14 June 2017
A remote code execution vulnerability in libxml2 could enable an attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process. This issue is rated as High due to the possibility of remote code execution in an application that uses this library. Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-37104170.
Priority
Medium
CVSS 3 base score: 7.8
Status
| Package | Release | Status |
|---|---|---|
|
android Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
(trusty was ignored [abandoned])
|
|
| upstream |
Needs triage
|
|
| xenial |
Ignored
(abandoned)
|
|
| yakkety |
Ignored
(reached end-of-life)
|
|
| zesty |
Ignored
(reached end-of-life)
|
|
|
libxml2 Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(2.9.4+dfsg1-3.1)
|
| bionic |
Not vulnerable
(2.9.4+dfsg1-3.1)
|
|
| precise |
Released
(2.7.8.dfsg-5.1ubuntu4.18)
|
|
| trusty |
Released
(2.9.1+dfsg1-3ubuntu4.10)
|
|
| upstream |
Released
(2.9.4+dfsg1-3.1)
|
|
| xenial |
Released
(2.9.3+dfsg1-1ubuntu0.3)
|
|
| yakkety |
Ignored
(reached end-of-life)
|
|
| zesty |
Released
(2.9.4+dfsg1-2.2ubuntu0.1)
|
Notes
| Author | Note |
|---|---|
| tyhicks | Downgrading from high to medium as the invalid write consists of a an enum member within a struct being written with a constant value that's not attacker controlled. I suspect that this is quite difficult to exploit. |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0663
- https://source.android.com/security/bulletin/2017-06-01
- https://ubuntu.com/security/notices/USN-3424-1
- https://ubuntu.com/security/notices/USN-3424-2
- NVD
- Launchpad
- Debian