CLD-20 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2017-5969 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) libxml2
Deficiency Type SECURITY
Date Created 2017-09-13 10:24:23
Date Last Modified 2017-09-13 10:44:55

Version Specific Information:

Cucumber 1.0 i686fixed in libxml2-2.9.5-i686-1
Cucumber 1.0 x86_64fixed in libxml2-2.9.5-x86_64-1 and libxml2-lib_i686-2.9.5-lib_i686-1

Cucumber 1.1 i686 fixed in libxml2-2.9.5-i686-1
Cucumber 1.1 x86_64 fixed in libxml2-2.9.5-x86_64-1 and libxml2-lib_i686-2.9.5-lib_i686-1

Details:

** DISPUTED ** libxml2 2.9.4, when used in recover mode, allows remote attackers
to cause a denial of service (NULL pointer dereference) via a crafted XML
document. NOTE: The maintainer states "I would disagree of a CVE with the
Recover parsing option which should only be used for manual recovery at least
for XML parser." (https://nvd.nist.gov/vuln/detail/CVE-2017-5969)

The bugzilla page (https://bugzilla.gnome.org/show_bug.cgi?id=778519) claims
this was fixed by https://git.gnome.org/browse/libxml2/commit/?id=94691dc884d1a8ada39f073408b4bb92fe7fe882.
This patch has been applied in 2.9.5.