CVE-2021-3517

NameCVE-2021-3517
DescriptionThere is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2653-1
NVD severityhigh
Debian Bugs987738

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libxml2 (PTS)stretch2.9.4+dfsg1-2.2+deb9u2vulnerable
stretch (security)2.9.4+dfsg1-2.2+deb9u5fixed
buster2.9.4+dfsg1-7+deb10u2fixed
bullseye2.9.10+dfsg-6.7fixed
bookworm, sid2.9.12+dfsg-5fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libxml2sourcestretch2.9.4+dfsg1-2.2+deb9u4DLA-2653-1
libxml2sourcebuster2.9.4+dfsg1-7+deb10u2
libxml2source(unstable)2.9.10+dfsg-6.6987738

Notes

https://gitlab.gnome.org/GNOME/libxml2/-/issues/235
https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2

Search for package or bug name: Reporting problems