Описание
The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| libxml2 | fixed | 2.9.7+dfsg-1 | experimental | package |
| libxml2 | fixed | 2.9.10+dfsg-2 | package | |
| libxml2 | fixed | 2.9.4+dfsg1-7+deb10u1 | buster | package |
| libxml2 | postponed | wheezy | package |
Примечания
https://bugzilla.gnome.org/show_bug.cgi?id=786696
Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/e2a9122b8dde53d320750451e9907a7dcb2ca8bb
When fixing this issue make sure to not open CVE-2018-9251 and apply
the fix for CVE-2018-9251 / https://bugzilla.gnome.org/show_bug.cgi?id=794914
EPSS
Связанные уязвимости
The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file.
The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file.
The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file.
Уязвимость функции xz_head компонента xzlib.c библиотеки Libxml2, связанная с недостатком механизма распределения ресурсов, позволяющая нарушителю вызвать отказ в обслуживании
EPSS