| Package | libxml2 |
|---|---|
| Version | 2.9.1+dfsg1-5+deb8u14 (jessie), 2.9.4+dfsg1-2.2+deb9u9 (stretch) |
| Related CVEs | CVE-2022-40303 CVE-2022-40304 |
It was discovered that libxml2, the GNOME XML library, was vulnerable to integer overflows and memory corruption.
CVE-2022-40303
Parsing a XML document with the XML_PARSE_HUGE option enabled can result
in an integer overflow because safety checks were missing in some
functions. Also, the xmlParseEntityValue function did not have any length
limitation.
CVE-2022-40304
When a reference cycle is detected in the XML entity cleanup function the
XML entity data can be stored in a dictionary. In this case, the
dictionary becomes corrupted resulting in logic errors, including memory
errors like double free.
For Debian 8 jessie, these problems have been fixed in version 2.9.1+dfsg1-5+deb8u14.
For Debian 9 stretch, these problems have been fixed in version 2.9.4+dfsg1-2.2+deb9u9.
We recommend that you upgrade your libxml2 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.