Chromium: Vulnerability reported in libxml |
|||
Issue descriptionAutomated analysis has detected that the following third party packages have had vulnerabilities publicly reported. NOTE: There may be several bugs listed below - in almost all cases, all bugs can be quickly addressed by upgrading to the latest version of the package. Package Name: libxml Package Version: [cpe:/a:xmlsoft:libxml2:2.7.7] Advisory: CVE-2017-18258 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-18258 CVSS severity score: 4.3/10.0 Confidence: high Description: The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file.
,
May 18 2018
,
May 21 2018
we'd still want to fix it even if it wasn't security oriented. that said, in at least CrOS, we've been using 2.9.6 since at least R66.
,
Aug 25
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||
►
Sign in to add a comment |
|||
Comment 1 by metzman@chromium.org
, May 17 2018Labels: OS-Android OS-Chrome OS-Fuchsia OS-iOS OS-Linux OS-Mac OS-Windows