SB2018102437 - Infinite loop in libxml2 (Alpine package)
Published: October 24, 2018
Security Bulletin ID
SB2018102437
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Infinite loop (CVE-ID: CVE-2018-9251)
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists in the xz_decomp() function of the GNOME libxml2 library, as defined in the xzlib.c source code due to an infinite loop condition in the Lempel-Ziv-Markov (LZMA) decompression feature during the processing of XML files. A remote unauthenticated attacker can trick the victim into opening a specially crafted XML file that submits malicious input, trigger an LZMA_MEMLIMIT_ERROR condition and cause the application to crash.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=1647bdc21ffc22aacee5ea142d372445d1fd5b03
- https://git.alpinelinux.org/aports/commit/?id=5e57be93778177ca048236091d2814a4ad205903
- https://git.alpinelinux.org/aports/commit/?id=76958c600547909509a0352cfbfd9d329ff49da9
- https://git.alpinelinux.org/aports/commit/?id=f70c7aa335da7bafa60d0834ba1b57b9fd5c732c
- https://git.alpinelinux.org/aports/commit/?id=4bc223137c3c80eb753c3caaa60b3a368b80af0f
- https://git.alpinelinux.org/aports/commit/?id=81df780b6d24c97fe63fde06d2cf77d76dc47bb1
- https://git.alpinelinux.org/aports/commit/?id=0434d7dc126aeb836678e3b545a2fe8748a4b269
- https://git.alpinelinux.org/aports/commit/?id=1f4fa90580a1d7f0000a1bf14f337b446f28d317
- https://git.alpinelinux.org/aports/commit/?id=878af9b6555b9b812151e55fd3294c89cf0f53ba
- https://git.alpinelinux.org/aports/commit/?id=9ba0323ae03ecb1319c9174e281260c37544fa1d
- https://git.alpinelinux.org/aports/commit/?id=a6c278e2f3d21e7ffc9b25ad0cd3845c3caafcf9