DescriptionBuffer overflow in libxml2 allows remote attackers to execute arbitrary code by leveraging an incorrect limit for port values when handling redirects.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1060-1, DSA-3952-1
Debian Bugs870865

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libxml2 (PTS)buster2.9.4+dfsg1-7+deb10u4fixed
buster (security)2.9.4+dfsg1-7+deb10u6fixed
bullseye (security), bullseye2.9.10+dfsg-6.7+deb11u4fixed
sid, trixie2.9.14+dfsg-1.3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs

Notes (not yet public)
Android patch:
Fix upstream:
The upstream patch has the slight consequence that some port values end up
negative when cast to a 32-bit int. A negative port though in the URL would
make the URL invalid. It is discussed if instead it would be best to prevent
the port from ever being negative. Upstream decided to leave the above patch.

Search for package or bug name: Reporting problems