A vulnerability in libxml2 when parsing specially crafted XML document if XZ support is enabled causing DoS of application was found. CVE request (including reproducer): http://seclists.org/oss-sec/2015/q4/206
Created libxml2 tracking bugs for this issue: Affects: fedora-all [bug 1277147]
Created mingw-libxml2 tracking bugs for this issue: Affects: fedora-all [bug 1277149] Affects: epel-7 [bug 1277150]
Statement: This issue did not affect the versions of libxml2 as shipped with Red Hat Enterprise Linux 5 and 6 as they did not include support for LZMA compression support.
LZMA compression support was introduced in libxml2 in: 2.8.0: May 23 2012 Features: add lzma compression support (Anders F Bjorklund)
So lzma support in 2.9.2 seems to be broken that's why Fedora seems not affected. But the bug is present since all version 2.8.0 onward. Seems I managed to get a first fix for the issue, I will add as attachment Daniel
Created attachment 1088640 [details] Suggested patch for the issue
https://bugzilla.gnome.org/show_bug.cgi?id=757466 patch pushed upstream: https://git.gnome.org/browse/libxml2/commit/?id=f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 Daniel
This issue has been addressed in the following products: Via RHSA-2016:1089 https://rhn.redhat.com/errata/RHSA-2016-1089.html
Will this bug be addressed in RHEL7.x?
(In reply to Matthew Almond from comment #14) > Will this bug be addressed in RHEL7.x? Thanks for notifying us, this may be fixed in future release.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:1190 https://access.redhat.com/errata/RHSA-2020:1190