Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 655626 (CVE-2018-9251) - <dev-libs/libxml2-2.9.8: memory consumption flaw in LZMA decompression (DoS)
Summary: <dev-libs/libxml2-2.9.8: memory consumption flaw in LZMA decompression (DoS)
Alias: CVE-2018-9251
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: C3 [noglsa cve]
Depends on:
Reported: 2018-05-13 06:10 UTC by D'juan McDonald (domhnall)
Modified: 2018-07-26 08:48 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2018-05-13 06:10:57 UTC

The xz_decomp function in xzlib.c in libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035.

Comment 1 D'juan McDonald (domhnall) 2018-05-28 21:18:30 UTC
commit e2a9122b8dde53d320750451e9907a7dcb2ca8bb (refs/bisect/bad)
Author: Nick Wellnhofer <>
Date:   Thu Sep 7 18:36:01 2017 +0200

    Set memory limit for LZMA decompression

    Otherwise malicious LZMA compressed files could consume large amounts
    of memory when decompressed.

    According to the xz man page, files compressed with `xz -9` currently
    require 65 MB to decompress, so set the limit to 100 MB.

    Should fix bug 786696.

$ git describe --contains e2a9122b8dde53d320750451e9907a7dcb2ca8bb

@maintainer(s), ack if patch already applied with commits for 652976, please.
Comment 2 D'juan McDonald (domhnall) 2018-07-26 08:44:15 UTC
Vulnerable versions have been dropped via commit 2bea1ac35a4e6955517315078a2176c94cb4388d
Comment 3 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-07-26 08:48:01 UTC
We are done here it seems.

GLSA Vote: No.

Thank you,