Issue metadata
Sign in to add a comment
|
CrOS: Vulnerability reported in dev-libs/libxml2 |
||||||||||||||||||
Issue descriptionAutomated analysis has detected that the following third party packages have had vulnerabilities publicly reported. NOTE: There may be several bugs listed below - in almost all cases, all bugs can be quickly addressed by upgrading to the latest version of the package. Package Name: dev-libs/libxml2 Package Version: [cpe:/a:xmlsoft:libxml2:2.9.4] Advisory: CVE-2017-5130 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-5130 CVSS severity score: 6.8/10.0 Confidence: high Description: An integer overflow in xmlmemory.c in libxml2 before 2.9.5, as used in Google Chrome prior to 62.0.3202.62 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted XML file.
,
Feb 27 2018
that patch does not help the system side of CrOS, but we're already using 2.9.6 in R65 and ToT, so we aren't affected there R64 is using 2.9.4 that i don't think includes these fixes, but i don't think the TPMs are looking to add anymore patches to R64, and the exposure on the CrOS side should be fairly low
,
Mar 5 2018
Closing since there is nothing more to do here.
,
Jun 12 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Feb 27 2018