Updated mxml packages fix security vulnerability
Publication date: 04 Apr 2017Modification date: 04 Apr 2017
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-4570 , CVE-2016-4571
Description
Two stack exhaustion issues based on uncontrolled recursion were found in
mxml. A maliciously crafted xml file can cause the application to crash.
* Recursion using mxmlDelete at mxml-node.c:217 (reproducer is
stack-exhaustion-1.xml CVE-2016-4570).
* Recursion using mxml_write_node at mxml-file.c:2739 (reproducer is
stack-exhaustion-2.xml CVE-2016-4571).
References
- https://bugs.mageia.org/show_bug.cgi?id=20593
- https://bugzilla.redhat.com/show_bug.cgi?id=1334648
- https://lists.opensuse.org/opensuse-updates/2017-03/msg00081.html
- http://seclists.org/oss-sec/2016/q2/276
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4570
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4571
SRPMS
5/core
- mxml-2.7-6.1.mga5