CVE-2018-9251: Loop with Unreachable Exit Condition ('Infinite Loop')

April 4, 2018 (updated October 3, 2019)

The xz_decomp function in xzlib.c in libxml2, if –with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035.

References

bugzilla.gnome.org/show_bug.cgi?id=794914
lists.debian.org/debian-lts-announce/2018/09/msg00035.html
nvd.nist.gov/vuln/detail/CVE-2018-9251

Code Behaviors & Features

Detect and mitigate CVE-2018-9251 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →