CVE-2017-0663
Publication date 14 June 2017
Last updated 24 July 2024
Ubuntu priority
A remote code execution vulnerability in libxml2 could enable an attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process. This issue is rated as High due to the possibility of remote code execution in an application that uses this library. Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-37104170.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| android | 18.04 LTS bionic | Not in release |
| 16.04 LTS xenial | Ignored | |
| 14.04 LTS trusty | Not in release | |
| libxml2 | 18.04 LTS bionic |
Not affected
|
| 16.04 LTS xenial |
Fixed 2.9.3+dfsg1-1ubuntu0.3
|
|
| 14.04 LTS trusty |
Fixed 2.9.1+dfsg1-3ubuntu4.10
|
Notes
tyhicks
Downgrading from high to medium as the invalid write consists of a an enum member within a struct being written with a constant value that's not attacker controlled. I suspect that this is quite difficult to exploit.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.8 · High
|
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-3424-1
- libxml2 vulnerabilities
- 19 September 2017
- USN-3424-2
- libxml2 vulnerabilities
- 10 October 2017