<p>Upgrade <code>Debian:8</code> <code>libxml2</code> to version 2.9.1+dfsg1-5+deb8u5 or higher.</p>

Out-of-Bounds Affecting libxml2 package, versions <2.9.1+dfsg1-5+deb8u5

Snyk CVSS

Attack Complexity Low

Availability High

Threat Intelligence

EPSS 0.29% (69^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-DEBIAN8-LIBXML2-429383
published 18 May 2017
disclosed 18 May 2017

Report a new vulnerability Found a mistake?

Introduced: 18 May 2017

CVE-2017-9048 Open this link in a new tab CWE-119 Open this link in a new tab

How to fix?

Upgrade Debian:8 libxml2 to version 2.9.1+dfsg1-5+deb8u5 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a stack-based buffer overflow. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. At the end of the routine, the function may strcat two more characters without checking whether the current strlen(buf) + 2 < size. This vulnerability causes programs that use libxml2, such as PHP, to crash.