CVE-2016-4570
Description
The mxmlDelete function in mxml-node.c in mxml 2.9, 2.7, and possibly earlier allows remote attackers to cause a denial of service (stack consumption) via crafted xml file.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
CVE-2016-4570 NameCVE-2016-4570 DescriptionThe mxmlDelete function in mxml-node.c in mxml 2.9, 2.7, and possibly earlier allows remote attackers to cause a denial of service (stack consumption) via crafted xml file. SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) ReferencesDLA-1641-1โฆ
CVE-2016-4570
| Name | CVE-2016-4570 |
| Description | The mxmlDelete function in mxml-node.c in mxml 2.9, 2.7, and possibly earlier allows remote attackers to cause a denial of service (stack consumption) via crafted xml file. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-1641-1 |
| Debian Bugs | 825855 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| mxml (PTS) | bullseye | 3.2-1 | fixed |
| bookworm, trixie | 3.3.1-1 | fixed | |
| forky, sid | 4.0.4-5 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| mxml | source | jessie | 2.6-2+deb8u1 | DLA-1641-1 | ||
| mxml | source | (unstable) | 2.9-1 | 825855 |
Notes
[wheezy] - mxml <no-dsa> (Minor issue)
https://www.openwall.com/lists/oss-security/2016/05/07/8
https://github.com/michaelrsweet/mxml/commit/d8c0ba900728d47523d76ba4acf33176cd04647c
Apply commands
[wheezy] - mxml <no-dsa> (Minor issue)https://www.openwall.com/lists/oss-security/2016/05/07/8https://github.com/michaelrsweet/mxml/commit/d8c0ba900728d47523d76ba4acf33176cd04647cOS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
Debian Mixed 6 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 2.9-1 |
| sid | Fixed | 2.9-1 |
| forky | Fixed | 2.9-1 |
| bullseye | Fixed | 2.9-1 |
| bookworm | Fixed | 2.9-1 |
| 8.0 | Affected | โ |
References
- https://www.suse.com/security/cve/CVE-2016-4570.html
- http://www.openwall.com/lists/oss-security/2016/05/09/16
- http://www.openwall.com/lists/oss-security/2016/05/11/14
- http://www.securityfocus.com/bid/90315
- https://bugzilla.redhat.com/show_bug.cgi?id=1334648
- https://lists.debian.org/debian-lts-announce/2019/01/msg00018.html
- https://security-tracker.debian.org/tracker/CVE-2016-4570
CWEs
CWE-400
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.