Missing validation for external entities was found in xmlParsePEReference that can lead to XXE attack. Upstream bug (private at the moment): https://bugzilla.gnome.org/show_bug.cgi?id=780691 Android patch: https://android.googlesource.com/platform/external/libxml2/+/308396a55280f69ad4112d4f9892f4cbeff042aa References: https://source.android.com/security/bulletin/2017-06-01#libraries
Created libxml2 tracking bugs for this issue: Affects: fedora-all [bug 1462226] Created mingw-libxml2 tracking bugs for this issue: Affects: epel-7 [bug 1462227] Affects: fedora-all [bug 1462228]
Upstream patch: https://gitlab.gnome.org/GNOME/libxml2/commit/90ccb582
Is there any steps to reproduce this vulnerability or to test the upstream patch?