Univention Bugzilla – Bug 45355
libxml2: Multiple issues (4.2)
Last modified: 2017-12-14 12:55:57 CET
Upstream Debian package version 2.9.1+dfsg1-5+deb8u5 fixes these issues: * A remote code execution vulnerability in libxml2 could enable an attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process. This issue is rated as High due to the possibility of remote code execution in an application that uses this library (CVE-2017-0663) * Missing validation for external entities in xmlParsePEReference (CVE-2017-7375) * Incorrect limit used for port values (CVE-2017-7376) * Denial of Service (application crash) due to buffer overflow in function xmlSnprintfElementContent in valid.c (CVE-2017-9047) * Denial of Service (application crash) due to stack-based buffer overflow in the function xmlSnprintfElementContent in valid.c (CVE-2017-9048) * Denial of Service (application crash) due to heap-based buffer over-read in the xmlDictComputeFastKey function in dict.c (CVE-2017-9049) * Denial of Service (application crash) due to heap-based buffer over-read in the xmlDictAddString function in dict.c (CVE-2017-9050)
Imported and built. Advisory: https://git.knut.univention.de/univention/ucs/blob/4.2-3/doc/errata/staging/libxml2.yaml
Build failed? -> 2.9.1+dfsg1-5+deb8u5A~4.2.0.201712111935
> Build failed? -> 2.9.1+dfsg1-5+deb8u5A~4.2.0.201712111935 Yes, on amd64 the built failed apparently due to an issue caused by parallelization. Now it succeeded with -j 1.
Installation: OK YAML: OK Verified
<http://errata.software-univention.de/ucs/4.2/248.html>