Summary: | <dev-libs/libxml2-2.9.8: memory consumption flaw in LZMA decompression (DoS) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | D'juan McDonald (domhnall) <flopwiki> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | gnome |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.gnome.org/show_bug.cgi?id=794914 | ||
Whiteboard: | C3 [noglsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
D'juan McDonald (domhnall)
2018-05-13 06:10:57 UTC
commit e2a9122b8dde53d320750451e9907a7dcb2ca8bb (refs/bisect/bad) Author: Nick Wellnhofer <wellnhofer@aevum.de> Date: Thu Sep 7 18:36:01 2017 +0200 Set memory limit for LZMA decompression Otherwise malicious LZMA compressed files could consume large amounts of memory when decompressed. According to the xz man page, files compressed with `xz -9` currently require 65 MB to decompress, so set the limit to 100 MB. Should fix bug 786696. $ git describe --contains e2a9122b8dde53d320750451e9907a7dcb2ca8bb v2.9.6-rc1~7 @maintainer(s), ack if patch already applied with commits for 652976, please. Vulnerable versions have been dropped via commit 2bea1ac35a4e6955517315078a2176c94cb4388d We are done here it seems. GLSA Vote: No. Thank you, |