Explore top 10 tips to secure your open-source projects now. Read More
×
Arch Linux Security Advisory ASA-201803-23 ========================================= Severity: High Date : 2018-03-25 CVE-ID : CVE-2017-12627 Package : xerces-c Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-644 Summary ====== The package xerces-c before version 3.2.1-1 is vulnerable to arbitrary code execution. Resolution ========= Upgrade to 3.2.1-1. # pacman -Syu "xerces-c>=3.2.1-1" The problem has been fixed upstream in version 3.2.1. Workaround ========= None. Description ========== The Xerces-C XML parser mishandles certain kinds of external DTD references, resulting in dereference of a NULL pointer while processing the path to the DTD. The bug allows for a denial of service attack in applications that allow DTD processing and do not prevent external DTD usage, and could conceivably result in remote code execution. Impact ===== A remote attacker might be able to cause a denial of service or execute arbitrary code by submitting a crafted XML document with an external DTD path to an application using a vulnerable version of the xerces-c parser. References ========= https://xerces.apache.org/xerces-c/secadv/CVE-2017-12627.txt https://security.archlinux.org/CVE-2017-12627