A vulnerability in libxml2 when parsing specially crafted XML document if XZ support is enabled causing DoS of application was found.
CVE request (including reproducer):
Created libxml2 tracking bugs for this issue:
Affects: fedora-all [bug 1277147]
Created mingw-libxml2 tracking bugs for this issue:
Affects: fedora-all [bug 1277149]
Affects: epel-7 [bug 1277150]
This issue did not affect the versions of libxml2 as shipped with Red Hat Enterprise Linux 5 and 6 as they did not include support for LZMA compression support.
LZMA compression support was introduced in libxml2 in:
2.8.0: May 23 2012
Features: add lzma compression support (Anders F Bjorklund)
So lzma support in 2.9.2 seems to be broken that's why Fedora seems not affected.
But the bug is present since all version 2.8.0 onward.
Seems I managed to get a first fix for the issue, I will add as attachment
Created attachment 1088640 [details]
Suggested patch for the issue
patch pushed upstream:
This issue has been addressed in the following products:
Via RHSA-2016:1089 https://rhn.redhat.com/errata/RHSA-2016-1089.html
Will this bug be addressed in RHEL7.x?
(In reply to Matthew Almond from comment #14)
> Will this bug be addressed in RHEL7.x?
Thanks for notifying us, this may be fixed in future release.