Updated mxml packages fix security vulnerabilities
Publication date: 12 May 2019Modification date: 12 May 2019
Type: security
Affected Mageia releases : 6
CVE: CVE-2018-20004 , CVE-2018-20005 , CVE-2018-20592 , CVE-2018-20593
Description
Updated mxml packages fix security vulnerabilities: An issue has been found in Mini-XML (aka mxml) 2.12. It is a stack-based buffer overflow in mxml_write_node in mxml-file.c via vectors involving a double-precision floating point number and the '' substring, as demonstrated by testmxml (CVE-2018-20004). An issue has been found in Mini-XML (aka mxml) 2.12. It is a use-after-free in mxmlWalkNext in mxml-search.c, as demonstrated by mxmldoc (CVE-2018-20005). In Mini-XML (aka mxml) v2.12, there is a use-after-free in the mxmlAdd function of the mxml-node.c file. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted xml file, as demonstrated by mxmldoc (CVE-2018-20592). In Mini-XML (aka mxml) v2.12, there is stack-based buffer overflow in the scan_file function in mxmldoc.c (CVE-2018-20593).
References
- https://bugs.mageia.org/show_bug.cgi?id=24583
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/N53IJHDYR5HVQLKH4J6B27OEQLGKSGY5/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20004
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20005
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20592
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20593
SRPMS
6/core
- mxml-3.0-1.mga6