A libxml2 security update has been released for Debian GNU/Linux 8 and 9 Extended LTS to address vulnerabilities related to integer overflows and memory corruption.
ELA-721-1 libxml2 security update
Package : libxml2
ELA-721-1 libxml2 security update
Version : 2.9.1+dfsg1-5+deb8u14 (jessie), 2.9.4+dfsg1-2.2+deb9u9 (stretch)
Related CVEs :
CVE-2022-40303
CVE-2022-40304
It was discovered that libxml2, the GNOME XML library, was vulnerable to
integer overflows and memory corruption.
CVE-2022-40303
Parsing a XML document with the XML_PARSE_HUGE option enabled can result
in an integer overflow because safety checks were missing in some
functions. Also, the xmlParseEntityValue function did not have any length
limitation.
CVE-2022-40304
When a reference cycle is detected in the XML entity cleanup function the
XML entity data can be stored in a dictionary. In this case, the
dictionary becomes corrupted resulting in logic errors, including memory
errors like double free.
