First published: Thu Sep 07 2017(Updated: )
A flaw was found in libxml2 before 2.9.6. The xz_head function in xzlib.c in allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file. References: <a href="https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb">https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb</a>
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
rubygems/nokogiri | <1.8.2 | 1.8.2 |
redhat/libxml2 | <0:2.9.1-6.el7.4 | 0:2.9.1-6.el7.4 |
Xmlsoft Libxml2 | <2.9.6 | |
redhat/libxml2 | <2.9.6 | 2.9.6 |
debian/libxml2 | 2.9.10+dfsg-6.7+deb11u4 2.9.10+dfsg-6.7+deb11u5 2.9.14+dfsg-1.3~deb12u1 2.12.7+dfsg+really2.9.14-0.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2017-18258 is a vulnerability in libxml2 that allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file.
The software affected by CVE-2017-18258 includes Nokogiri (version 1.8.2), libxml2 (versions 2.9.1+dfsg1-3ubuntu4.13, 2.9.4+dfsg1-6.1ubuntu1.2, 2.9.6, 2.9.3+dfsg1-1ubuntu0.6), and libxml2 (versions 2.9.4+dfsg1-7+deb10u4, 2.9.4+dfsg1-7+deb10u6, 2.9.10+dfsg-6.7+deb11u4, 2.9.14+dfsg-1.3~deb12u1, 2.9.14+dfsg-1.3).
The severity of CVE-2017-18258 is medium with a CVSS score of 6.5.
To fix CVE-2017-18258, you should update libxml2 to version 2.9.6 or apply the necessary patches provided by the software vendor.
You can find more information about CVE-2017-18258 at the following references: [Git Repository](https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb), [Ubuntu Security Notice](https://usn.ubuntu.com/3739-1/), [Debian Security Advisory](https://lists.debian.org/debian-lts-announce/2018/09/msg00035.html).