Overview Details

File _patchinfo of Package patchinfo

<patchinfo incident="8894">
  <issue tracker="bnc" id="1088601">VUL-1: CVE-2017-18258: libxml2: The xz_head function in xzlib.c in libxml2 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file</issue>
  <issue tracker="bnc" id="1088279">VUL-1: CVE-2018-9251: libxml2: The xz_decomp function in xzlib.c allows remote attackers to cause a denial of service (infinite loop) via acrafted XML file that triggers LZMA_MEMLIMIT_ERROR</issue>
  <issue tracker="bnc" id="1102046">VUL-1: CVE-2018-14404 libxml2: NULL pointer dereference in xpath.c:xmlXPathCompOpEval() can allow attackers to cause a denial of service</issue>
  <issue tracker="bnc" id="1105166">VUL-0: CVE-2018-14567: libxml2: infinite loop in LZMA decompression</issue>
  <issue tracker="cve" id="2018-9251"/>
  <issue tracker="cve" id="2018-14567"/>
  <issue tracker="cve" id="2018-14404"/>
  <issue tracker="cve" id="2017-18258"/>
  <category>security</category>
  <rating>moderate</rating>
  <packager>pmonrealgonzalez</packager>
  <description>This update for libxml2 fixes the following security issues:

- CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a
  denial of service (infinite loop) via a crafted XML file that triggers
  LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279).
- CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML
  file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint
  (bsc#1105166).
- CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval()
  function when parsing an invalid XPath expression in the XPATH_OP_AND or
  XPATH_OP_OR case leading to a denial of service attack (bsc#1102046).
- CVE-2017-18258: The xz_head function allowed remote attackers to cause a
  denial of service (memory consumption) via a crafted LZMA file, because the
  decoder functionality did not restrict memory usage to what is required for a
  legitimate file (bsc#1088601).

This update was imported from the SUSE:SLE-12-SP2:Update update project.</description>
  <summary>Security update for libxml2</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places