CLD-223 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2017-15412 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) libxml2
Deficiency Type SECURITY
Date Created 2018-01-13 11:29:40
Date Last Modified 2018-01-13 18:30:50

Version Specific Information:

Cucumber 1.0 i686fixed in libxml2-2.9.7-i686-1
Cucumber 1.0 x86_64fixed in libxml2-2.9.7-x86_64-1 and libxml2-lib_i686-2.9.7-lib_i686-1

Cucumber 1.1 i686 fixed in libxml2-2.9.7-i686-1
Cucumber 1.1 x86_64 fixed in libxml2-2.9.7-x86_64-1 and libxml2-lib_i686-2.9.7-lib_i686-1

Details:

================================= Our Analysis =================================

----- Affected Products -----
Versions of libxml2 without the patch
https://git.gnome.org/browse/libxml2/commit/?id=0f3b843b3534784ef57a4f9b874238aa1fda5a73
applied are vulnerable (the patch was applied in the release of libxml 2.9.6).
This includes libxml2 as originally packaged in Cucumber Linux 1.0 and 1.1.

----- Scope and Impact of this Vulnerability -----
Use after free resulting in possible memory corruption.

----- Fix for this Vulnerability -----
Fixed by commit
https://git.gnome.org/browse/libxml2/commit/?id=0f3b843b3534784ef57a4f9b874238aa1fda5a73

================================= Our Solution =================================

We have applied the aforementioned patch and rebuilt.