CVE-2023-34411

NameCVE-2023-34411
DescriptionThe xml-rs crate before 0.8.14 for Rust and Crab allows a denial of service (panic) via an invalid <! token (such as <!DOCTYPEs/%<!A nesting) in an XML document. The earliest affected version is 0.8.9.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
rust-xml-rs (PTS)buster0.8.0-1fixed
bookworm, bullseye0.8.3-1fixed
sid, trixie0.8.19-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
rust-xml-rssource(unstable)(not affected)

Notes

- rust-xml-rs <not-affected> (Vulnerable code not present)
https://github.com/netvl/xml-rs/pull/226
Introduced by: https://github.com/netvl/xml-rs/commit/014d808be900c85a0afc5ccdfe668be040d175aa (0.8.9)
Fixed by: https://github.com/netvl/xml-rs/commit/c09549a187e62d39d40467f129e64abf32efc35c (0.8.14)

Search for package or bug name: Reporting problems