ID CVE-2018-9251
Summary The xz_decomp function in xzlib.c in libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035.
References
Vulnerable Configurations
  • cpe:2.3:a:xmlsoft:libxml2:2.9.8:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsoft:libxml2:2.9.8:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
CVSS
Base: 2.6 (as of 03-10-2019 - 00:03)
Impact:
Exploitability:
CWE CWE-835
CAPEC
Access
VectorComplexityAuthentication
NETWORK HIGH NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
cvss-vector via4 AV:N/AC:H/Au:N/C:N/I:N/A:P
redhat via4
advisories
bugzilla
id 1595985
title CVE-2018-14404 libxml2: NULL pointer dereference in xmlXPathCompOpEval() function in xpath.c
oval
OR
  • comment Red Hat Enterprise Linux must be installed
    oval oval:com.redhat.rhba:tst:20070304026
  • AND
    • comment Red Hat Enterprise Linux 8 is installed
      oval oval:com.redhat.rhba:tst:20193384074
    • OR
      • AND
        • comment libxml2 is earlier than 0:2.9.7-7.el8
          oval oval:com.redhat.rhsa:tst:20201827001
        • comment libxml2 is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111749002
      • AND
        • comment libxml2-debugsource is earlier than 0:2.9.7-7.el8
          oval oval:com.redhat.rhsa:tst:20201827003
        • comment libxml2-debugsource is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20201827004
      • AND
        • comment libxml2-devel is earlier than 0:2.9.7-7.el8
          oval oval:com.redhat.rhsa:tst:20201827005
        • comment libxml2-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111749004
      • AND
        • comment python3-libxml2 is earlier than 0:2.9.7-7.el8
          oval oval:com.redhat.rhsa:tst:20201827007
        • comment python3-libxml2 is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20201827008
rhsa
id RHSA-2020:1827
released 2020-04-28
severity Moderate
title RHSA-2020:1827: libxml2 security update (Moderate)
rpms
  • libxml2-0:2.9.7-7.el8
  • libxml2-debuginfo-0:2.9.7-7.el8
  • libxml2-debugsource-0:2.9.7-7.el8
  • libxml2-devel-0:2.9.7-7.el8
  • python3-libxml2-0:2.9.7-7.el8
  • python3-libxml2-debuginfo-0:2.9.7-7.el8
refmap via4
misc https://bugzilla.gnome.org/show_bug.cgi?id=794914
mlist [debian-lts-announce] 20180927 [SECURITY] [DLA 1524-1] libxml2 security update
Last major update 03-10-2019 - 00:03
Published 04-04-2018 - 02:29
Last modified 03-10-2019 - 00:03
Back to Top