CVE-2017-9050: Input Validation
First published: Thu May 18 2017(Updated: )
libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for CVE-2016-1839.
Credit: Mateusz Jurczyk (j00ru) Google Project ZeroMateusz Jurczyk (j00ru) Google Project ZeroMateusz Jurczyk (j00ru) Google Project ZeroMateusz Jurczyk (j00ru) Google Project ZeroMateusz Jurczyk (j00ru) Google Project ZeroMateusz Jurczyk (j00ru) Google Project ZeroMateusz Jurczyk (j00ru) Google Project Zero cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/libxml2 | 2.9.4+dfsg1-7+deb10u4 2.9.4+dfsg1-7+deb10u6 2.9.10+dfsg-6.7+deb11u4 2.9.14+dfsg-1.3~deb12u1 2.9.14+dfsg-1.3 | |
| Xmlsoft Libxml2 | =2.9.4 | |
| Apple iCloud for Windows | <7.0 | 7.0 |
| Apple iTunes for Windows | <12.7 | 12.7 |
| debian/libxml2 | <=2.9.4+dfsg1-2.2<=2.9.1+dfsg1-5 | 2.9.4+dfsg1-3.1 2.9.4+dfsg1-2.2+deb9u1 2.9.1+dfsg1-5+deb8u5 |
| Apple watchOS | <4 | 4 |
| Apple tvOS | <11 | 11 |
| Apple iOS | <11 | 11 |
| Apple macOS | <10.13 | 10.13 |
| Apple macOS | <10.13.1 | 10.13.1 |
| Apple Sierra | ||
| Apple El Capitan |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://support.apple.com/en-us/HT208112 (Advisory)
- https://support.apple.com/en-us/HT208113 (Advisory)
- https://support.apple.com/en-us/HT208115 (Advisory)
- https://support.apple.com/en-us/HT208141 (Advisory)
- https://support.apple.com/en-us/HT208142 (Advisory)
- https://support.apple.com/en-us/HT208144 (Advisory)
- https://support.apple.com/en-us/HT208221 (Advisory)
- https://bugzilla.gnome.org/show_bug.cgi?id=781361
- https://security-tracker.debian.org/tracker/CVE-2017-9050
- https://security-tracker.debian.org/tracker/CVE-2016-1839
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9050
- http://www.openwall.com/lists/oss-security/2017/05/15/1
- https://mapreri.org
- https://launchpad.net/~mapreri
- https://qa.debian.org/developer.php?login=mattia
- https://security-tracker.debian.org/tracker/CVE-2017-7376
- https://security-tracker.debian.org/tracker/CVE-2017-7375
- https://security-tracker.debian.org/tracker/CVE-2017-9049
- https://security-tracker.debian.org/tracker/CVE-2017-9047
- https://security-tracker.debian.org/tracker/CVE-2017-9048
- https://security-tracker.debian.org/tracker/CVE-2017-0663
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863018
- http://www.debian.org/security/2017/dsa-3952
- http://www.securityfocus.com/bid/98568
- https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
- https://security.gentoo.org/glsa/201711-01
- https://www.openwall.com/lists/oss-security/2017/05/15/1
- https://gitlab.gnome.org/GNOME/libxml2/-/commit/e26630548e7d138d2c560844c43820b6767251e3
Parent vulnerabilities
(Appears in the following advisories)
Peer vulnerabilities
(Found alongside the following vulnerabilities)
- CVE-2017-13829
- CVE-2017-13833
- CVE-2017-13831
- CVE-2017-9049
- CVE-2017-7376
- CVE-2017-5130
- CVE-2017-9050
- CVE-2018-4302
- CVE-2017-7127
- CVE-2017-7081
- CVE-2017-7087
- CVE-2017-7091
- CVE-2017-7092
- CVE-2017-7093
- CVE-2017-7094
- CVE-2017-7095
- CVE-2017-7096
- CVE-2017-7098
- CVE-2017-7099
- CVE-2017-7100
- CVE-2017-7102
- CVE-2017-7104
- CVE-2017-7107
- CVE-2017-7111
- CVE-2017-7117
- CVE-2017-7120
- CVE-2017-7089
- CVE-2017-7090
- CVE-2017-7106
- CVE-2017-7109
- CVE-2017-13832
- CVE-2017-7083
- CVE-2017-13821
- CVE-2017-0381
- CVE-2017-13825
- CVE-2017-13815
- CVE-2017-13828
- CVE-2017-13830
- CVE-2017-13814
- CVE-2017-13817
- CVE-2017-13818
- CVE-2017-13836
- CVE-2017-13841
- CVE-2017-13840
- CVE-2017-13842
- CVE-2017-13782
- CVE-2017-13843
- CVE-2017-7114
- CVE-2017-13854
- CVE-2017-13834
- CVE-2017-13873
- CVE-2017-13813
- CVE-2017-13816
- CVE-2017-13812
- CVE-2017-7086
- CVE-2017-1000373
- CVE-2016-9063
- CVE-2017-9233
- CVE-2017-7080
- CVE-2017-10989
- CVE-2017-7128
- CVE-2017-7129
- CVE-2017-7130
- CVE-2017-7103
- CVE-2017-7105
- CVE-2017-7108
- CVE-2017-7110
- CVE-2017-7112
- CVE-2017-7116
- CVE-2016-9840
- CVE-2016-9841
- CVE-2016-9842
- CVE-2016-9843
- CVE-2017-13822
- CVE-2017-11120
- CVE-2017-11121
- CVE-2017-7115
- CVE-2017-11122
- CVE-2017-13863
- CVE-2017-7131
- CVE-2017-7088
- CVE-2017-11103
- CVE-2017-7072
- CVE-2017-7140
- CVE-2017-7148
- CVE-2017-7078
- CVE-2017-7097
- CVE-2017-7118
- CVE-2017-7133
- CVE-2017-7075
- CVE-2017-7139
- CVE-2017-13806
- CVE-2017-7132
- CVE-2017-7085
- CVE-2017-13877
- CVE-2017-7146
- CVE-2017-6211
- CVE-2017-7145
- CVE-2017-7144
- CVE-2017-7142
- CVE-2016-0736
- CVE-2016-2161
- CVE-2016-5387
- CVE-2016-8740
- CVE-2016-8743
- CVE-2017-13909
- CVE-2017-13809
- CVE-2017-7084
- CVE-2017-7074
- CVE-2017-13820
- CVE-2017-13807
- CVE-2017-7143
- CVE-2017-13890
- CVE-2017-13851
- CVE-2017-7138
- CVE-2017-7121
- CVE-2017-7122
- CVE-2017-7123
- CVE-2017-7124
- CVE-2017-7125
- CVE-2017-7126
- CVE-2017-13811
- CVE-2017-13835
- CVE-2017-13819
- CVE-2017-13837
- CVE-2017-13906
- CVE-2017-7077
- CVE-2017-7119
- CVE-2017-13810
- CVE-2017-13827
- CVE-2016-4736
- CVE-2017-7141
- CVE-2017-6451
- CVE-2017-6452
- CVE-2017-6455
- CVE-2017-6458
- CVE-2017-6459
- CVE-2017-6460
- CVE-2017-6462
- CVE-2017-6463
- CVE-2017-6464
- CVE-2016-9042
- CVE-2017-13824
- CVE-2017-13846
- CVE-2017-10140
- CVE-2017-13823
- CVE-2017-13808
- CVE-2017-13838
- CVE-2017-7082
- CVE-2017-13908
- CVE-2017-13839
- CVE-2017-13910
- CVE-2017-3167
- CVE-2017-3169
- CVE-2017-7659
- CVE-2017-7668
- CVE-2017-7679
- CVE-2017-9788
- CVE-2017-9789
- CVE-2017-13786
- CVE-2017-13800
- CVE-2017-1000100
- CVE-2017-1000101
- CVE-2017-13801
- CVE-2017-13799
- CVE-2017-13852
- CVE-2017-5969
- CVE-2018-4390
- CVE-2018-4391
- CVE-2017-13907
- CVE-2017-7170
- CVE-2017-7150
- CVE-2017-13804
- CVE-2017-11108
- CVE-2017-11541
- CVE-2017-11542
- CVE-2017-11543
- CVE-2017-12893
- CVE-2017-12894
- CVE-2017-12895
- CVE-2017-12896
- CVE-2017-12897
- CVE-2017-12898
- CVE-2017-12899
- CVE-2017-12900
- CVE-2017-12901
- CVE-2017-12902
- CVE-2017-12985
- CVE-2017-12986
- CVE-2017-12987
- CVE-2017-12988
- CVE-2017-12989
- CVE-2017-12990
- CVE-2017-12991
- CVE-2017-12992
- CVE-2017-12993
- CVE-2017-12994
- CVE-2017-12995
- CVE-2017-12996
- CVE-2017-12997
- CVE-2017-12998
- CVE-2017-12999
- CVE-2017-13000
- CVE-2017-13001
- CVE-2017-13002
- CVE-2017-13003
- CVE-2017-13004
- CVE-2017-13005
- CVE-2017-13006
- CVE-2017-13007
- CVE-2017-13008
- CVE-2017-13009
- CVE-2017-13010
- CVE-2017-13011
- CVE-2017-13012
- CVE-2017-13013
- CVE-2017-13014
- CVE-2017-13015
- CVE-2017-13016
- CVE-2017-13017
- CVE-2017-13018
- CVE-2017-13019
- CVE-2017-13020
- CVE-2017-13021
- CVE-2017-13022
- CVE-2017-13023
- CVE-2017-13024
- CVE-2017-13025
- CVE-2017-13026
- CVE-2017-13027
- CVE-2017-13028
- CVE-2017-13029
- CVE-2017-13030
- CVE-2017-13031
- CVE-2017-13032
- CVE-2017-13033
- CVE-2017-13034
- CVE-2017-13035
- CVE-2017-13036
- CVE-2017-13037
- CVE-2017-13038
- CVE-2017-13039
- CVE-2017-13040
- CVE-2017-13041
- CVE-2017-13042
- CVE-2017-13043
- CVE-2017-13044
- CVE-2017-13045
- CVE-2017-13046
- CVE-2017-13047
- CVE-2017-13048
- CVE-2017-13049
- CVE-2017-13050
- CVE-2017-13051
- CVE-2017-13052
- CVE-2017-13053
- CVE-2017-13054
- CVE-2017-13055
- CVE-2017-13687
- CVE-2017-13688
- CVE-2017-13689
- CVE-2017-13690
- CVE-2017-13725
- CVE-2017-13077
- CVE-2017-13078
- CVE-2017-13080
Frequently Asked Questions
What is CVE-2017-9050?
CVE-2017-9050 is a memory corruption vulnerability in libxml2.
How does CVE-2017-9050 affect libxml2?
CVE-2017-9050 can cause programs that use libxml2 to crash due to a heap-based buffer over-read vulnerability.
What is the severity of CVE-2017-9050?
CVE-2017-9050 has a severity rating of 7.5 (high).
What is the recommended remedy for CVE-2017-9050?
To fix CVE-2017-9050, update libxml2 to version 2.9.4 or later.
Where can I find more information about CVE-2017-9050?
You can find more information about CVE-2017-9050 at the following references: [Reference 1](https://support.apple.com/en-us/HT208113), [Reference 2](https://support.apple.com/en-us/HT208112), [Reference 3](https://bugzilla.gnome.org/show_bug.cgi?id=781361).
- collector/security-tracker-debian
- collector/nvd-index
- collector/apple-support
- collector/debian-bugs
- alias/CVE-2017-9050
- agent/type
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/software-canonical-lookup-request
- agent/event
- agent/remedy
- agent/weakness
- agent/references
- agent/severity
- agent/author
- agent/tags
- agent/description
- package-manager/debian
- vendor/xmlsoft
- canonical/xmlsoft libxml2
- version/xmlsoft libxml2/2.9.4
- vendor/apple
- canonical/apple icloud for windows
- canonical/apple itunes for windows
- canonical/apple watchos
- canonical/apple tvos
- canonical/apple ios
- canonical/apple macos
- canonical/apple sierra
- canonical/apple el capitan