Source: libxml2 Version: 2.9.13+dfsg-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for libxml2. CVE-2022-29824[0]: | In libxml2 before 2.9.14, several buffer handling functions in buf.c | (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. | This can result in out-of-bounds memory writes. Exploitation requires | a victim to open a crafted, multi-gigabyte XML file. Other software | using libxml2's buffer functions, for example libxslt through 1.1.35, | is affected as well. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-29824 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29824 [1] https://gitlab.gnome.org/GNOME/libxml2/-/commit/2554a2408e09f13652049e5ffb0d26196b02ebab Please adjust the affected versions in the BTS as needed. Regards, Salvatore
