Lucene search

K
archlinux
ArchLinuxASA-201810-4
HistoryOct 01, 2018 - 12:00 a.m.

[ASA-201810-4] lib32-libxml2: denial of service

2018-10-0100:00:00
security.archlinux.org
11

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H

2.6 Low

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:N/I:N/A:P

0.002 Low

EPSS

Percentile

51.7%

Arch Linux Security Advisory ASA-201810-4

Severity: Medium
Date : 2018-10-01
CVE-ID : CVE-2018-9251
Package : lib32-libxml2
Type : denial of service
Remote : Yes
Link : https://security.archlinux.org/AVG-673

Summary

The package lib32-libxml2 before version 2.9.8-4 is vulnerable to
denial of service.

Resolution

Upgrade to 2.9.8-4.

pacman -Syu “lib32-libxml2>=2.9.8-4”

The problem has been fixed upstream but no release is available yet.

Workaround

None.

Description

A security issue has been found in libxml2 <= 2.9.8 compiled with LZMA
support enabled, in the xz_decomp function in xzlib.c. This flaw allows
a remote attacker to cause a denial of service via an infinite loop,
using a crafted XML payload that triggers LZMA_MEMLIMIT_ERROR.

Impact

A remote attacker is able to cause a denial of service by parsing a
specially crafted XML payload.

References

https://bugzilla.gnome.org/show_bug.cgi?id=794914
https://gitlab.gnome.org/GNOME/libxml2/commit/2240fbf5912054af025fb6e01e26375100275e74
https://security.archlinux.org/CVE-2018-9251

OSVersionArchitecturePackageVersionFilename
ArchLinuxanyanylib32-libxml2< 2.9.8-4UNKNOWN
How to protect your server from attacks?

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H

2.6 Low

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:N/I:N/A:P

0.002 Low

EPSS

Percentile

51.7%

Related for ASA-201810-4