Advisories » MGASA-2017-0119

Updated xstream packages fix security vulnerability

Publication date: 30 Apr 2017
Modification date: 30 Apr 2017
Type: security
Affected Mageia releases : 5

Description

A vulnerability was found in XStream. Parsing a maliciously crafted file
could cause the application to crash. The processed stream at
unmarshalling type contains type information to recreate the formerly
written objects. XStream creates therefore new instances based on these
type information. The crash occurrs if this information advices XStream to
create an instance of the primitive type 'void'. This situation can only
happen if an attacker was able to manipulate the incoming data, since such
an instance does not exist (rhbz#1441538).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=20704
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NINYW4L2T4MRN4RGENSWNBLOTKM7WD3T/

SRPMS

5/core

• xstream-1.4.9-1.1.mga5