CVE-2018-9251

Published: 04 April 2018

The xz_decomp function in xzlib.c in libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035.

Priority

Medium

CVSS 3 base score: 5.3

Status

Package Release Status
libxml2
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable

Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable

Notes

AuthorNote
leosilva
it's only affect if e2a9122b8dde53d320750451e9907a7dcb2ca8bb
was applied, and it's not the case.

References