A flaw was found in libxml2 before 2.9.6. The xz_head function in xzlib.c in allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file.
Created mingw-libxml2 tracking bugs for this issue:
Affects: fedora-all [bug 1566751]
Affects: epel-7 [bug 1566750]
Note that this patch introduced another vulnerability: CVE-2018-14567 (flaw bug 1619875), which was in turn fixed by: