The xz_decomp function in xzlib.c in libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035.
commit e2a9122b8dde53d320750451e9907a7dcb2ca8bb (refs/bisect/bad)
Author: Nick Wellnhofer <email@example.com>
Date: Thu Sep 7 18:36:01 2017 +0200
Set memory limit for LZMA decompression
Otherwise malicious LZMA compressed files could consume large amounts
of memory when decompressed.
According to the xz man page, files compressed with `xz -9` currently
require 65 MB to decompress, so set the limit to 100 MB.
Should fix bug 786696.
$ git describe --contains e2a9122b8dde53d320750451e9907a7dcb2ca8bb
@maintainer(s), ack if patch already applied with commits for 652976, please.
Vulnerable versions have been dropped via commit 2bea1ac35a4e6955517315078a2176c94cb4388d
We are done here it seems.
GLSA Vote: No.