ArchLinux: 201810-3: libxml2: denial of service
Summary
A security issue has been found in libxml2 <= 2.9.8 compiled with LZMA support enabled, in the xz_decomp function in xzlib.c. This flaw allows a remote attacker to cause a denial of service via an infinite loop, using a crafted XML payload that triggers LZMA_MEMLIMIT_ERROR.
Resolution
Upgrade to 2.9.8-5.
# pacman -Syu "libxml2>=2.9.8-5"
The problem has been fixed upstream but no release is available yet.
References
https://bugzilla.gnome.org/show_bug.cgi?id=794914 https://gitlab.gnome.org/GNOME/libxml2/-/commit/2240fbf5912054af025fb6e01e26375100275e74 https://security.archlinux.org/CVE-2018-9251
Workaround
None.