(https://nvd.nist.gov/vuln/detail/CVE-2018-9251): The xz_decomp function in xzlib.c in libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035. Reference: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895195
commit e2a9122b8dde53d320750451e9907a7dcb2ca8bb (refs/bisect/bad) Author: Nick Wellnhofer <wellnhofer@aevum.de> Date: Thu Sep 7 18:36:01 2017 +0200 Set memory limit for LZMA decompression Otherwise malicious LZMA compressed files could consume large amounts of memory when decompressed. According to the xz man page, files compressed with `xz -9` currently require 65 MB to decompress, so set the limit to 100 MB. Should fix bug 786696. $ git describe --contains e2a9122b8dde53d320750451e9907a7dcb2ca8bb v2.9.6-rc1~7 @maintainer(s), ack if patch already applied with commits for 652976, please.
Vulnerable versions have been dropped via commit 2bea1ac35a4e6955517315078a2176c94cb4388d
We are done here it seems. GLSA Vote: No. Thank you,