{
  "schema_version": "1.7.0",
  "id": "MGASA-2017-0119",
  "published": "2017-04-30T23:33:52Z",
  "modified": "2017-04-30T23:21:40Z",
  "summary": "Updated xstream packages fix security vulnerability",
  "details": "A vulnerability was found in XStream. Parsing a maliciously crafted file\ncould cause the application to crash. The processed stream at\nunmarshalling type contains type information to recreate the formerly\nwritten objects. XStream creates therefore new instances based on these\ntype information. The crash occurrs if this information advices XStream to\ncreate an instance of the primitive type 'void'. This situation can only\nhappen if an attacker was able to manipulate the incoming data, since such\nan instance does not exist (rhbz#1441538).\n",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://advisories.mageia.org/MGASA-2017-0119.html"
    },
    {
      "type": "REPORT",
      "url": "https://bugs.mageia.org/show_bug.cgi?id=20704"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NINYW4L2T4MRN4RGENSWNBLOTKM7WD3T/"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Mageia:5",
        "name": "xstream",
        "purl": "pkg:rpm/mageia/xstream?arch=source&distro=mageia-5"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.9-1.1.mga5"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "section": "core"
      }
    }
  ],
  "credits": [
    {
      "name": "Mageia",
      "type": "COORDINATOR",
      "contact": [
        "https://wiki.mageia.org/en/Packages_Security_Team"
      ]
    }
  ]
}
