CVE-2016-4658

Name	CVE-2016-4658
Description	xpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3, and other products) does not forbid namespace nodes in XPointer ranges, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and memory corruption) via a crafted XML document.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
References	DLA-691-1, DSA-3744-1
NVD severity	high (attack range: remote)
Debian Bugs	840553

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
libxml2 (PTS)	jessie (security), jessie	2.9.1+dfsg1-5+deb8u6	fixed
	stretch (security), stretch	2.9.4+dfsg1-2.2+deb9u2	fixed
	buster, sid	2.9.4+dfsg1-7	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
libxml2	source	(unstable)	2.9.4+dfsg1-2.1	high		840553
libxml2	source	jessie	2.9.1+dfsg1-5+deb8u4	high	DSA-3744-1
libxml2	source	wheezy	2.8.0+dfsg1-7+wheezy7	high	DLA-691-1

Fixed by: https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b