Arch Linux: ASA-202310-15 Medium: libxml2 Uncontrolled Memory Leak

Arch Linux Security Advisory ASA-201503-19
=========================================
Severity: Medium
Date    : 2015-03-20
CVE-ID  : CVE-2015-0252
Package : xerces-c
Type    : denial of service
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package xerces-c before version 3.1.2-1 is vulnerable to denial of
service.

Resolution
=========
Upgrade to 3.1.2-1.

# pacman -Syu "xerces-c>=3.1.2-1"

The problem has been fixed upstream in version 3.1.2.

Workaround
=========
None.

Description
==========
- CVE-2015-0252 (denial of service)

The Xerces-C XML parser mishandles certain kinds of malformed input
documents, resulting in a segmentation fault during a parse operation.
The bug does not appear to allow for remote code execution, but is a
denial of service attack that in many applications may allow for an
unauthenticated attacker to supply malformed input and cause a crash.

Impact
=====
A remote attacker is able to send specially crafted documents that are
resulting in a segmentation fault leading to denial of service.

References
=========
https://xerces.apache.org/xerces-c/secadv/CVE-2015-0252.txt
https://access.redhat.com/security/cve/CVE-2015-0252
https://bugs.archlinux.org/task/44272