CVE-2017-0663

Priority
Medium
Description
A remote code execution vulnerability in libxml2 could enable an attacker
using a specially crafted file to execute arbitrary code within the context
of an unprivileged process. This issue is rated as High due to the
possibility of remote code execution in an application that uses this
library. Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0,
7.1.1, 7.1.2. Android ID: A-37104170.
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0663
https://source.android.com/security/bulletin/2017-06-01
https://usn.ubuntu.com/usn/usn-3424-1
https://usn.ubuntu.com/usn/usn-3424-2
Bugs
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=598
https://bugzilla.gnome.org/show_bug.cgi?id=780228
Notes
 tyhicks> Downgrading from high to medium as the invalid write consists of a
  an enum member within a struct being written with a constant value that's not
  attacker controlled. I suspect that this is quite difficult to exploit.
Package
Source: libxml2 (LP Ubuntu Debian)
Upstream:released (2.9.4+dfsg1-3.1)
Ubuntu 12.04 ESM (Precise Pangolin):released (2.7.8.dfsg-5.1ubuntu4.18)
Ubuntu 14.04 LTS (Trusty Tahr):released (2.9.1+dfsg1-3ubuntu4.10)
Ubuntu 16.04 LTS (Xenial Xerus):released (2.9.3+dfsg1-1ubuntu0.3)
Ubuntu 17.04 (Zesty Zapus):released (2.9.4+dfsg1-2.2ubuntu0.1)
Ubuntu 17.10 (Artful Aardvark):not-affected (2.9.4+dfsg1-3.1)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (2.9.4+dfsg1-3.1)
Patches:
Upstream:https://git.gnome.org/browse/libxml2/commit/?id=92b9e8c8b3787068565a1820ba575d042f9eec66
Package
Source: android (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):needs-triage
Ubuntu 16.04 LTS (Xenial Xerus):needs-triage
Ubuntu 17.04 (Zesty Zapus):needs-triage
Ubuntu 17.10 (Artful Aardvark):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
More Information

Updated: 2017-12-15 20:18:00 UTC (commit 13913)