CVE-2007-6284: Medium severity Mandrakesoft Mandrake Linux Corporate Server vulnerability
Description: There exists a denial of service problem in libxml's UTF-8 decoding functions. The xmlCurrentChar() function does not check UTF-8 correctness and certain multibyte combinations can cause the library to enter an infinite loop and hang, consuming system resources. It is strongly recommended to upgrade if your application accepts arbitrary xml user input.
Provided by: The issue was originally discovered at Google by Brad Fitzpatrick and further investigated by Peter Valchev and Will Drewry. Patch and debugging by Daniel Veillard (libxml).
Acknowledgements:
Red Hat would like to thank the Google Security Team for responsibly disclosing this issue.
Other sources
The xmlCurrentChar function in libxml2 before 2.6.31 allows context-dependent attackers to cause a denial of service (infinite loop) via XML containing invalid UTF-8 sequences.
— MITRE
Affected Software
Remediation
Patch Available
Event History
Frequently Asked Questions
What is the severity of CVE-2007-6284?
CVE-2007-6284 is classified as a denial of service vulnerability that can cause the affected applications to hang indefinitely.
How do I fix CVE-2007-6284?
To mitigate CVE-2007-6284, it is recommended to update the libxml library to a patched version provided by your Linux distribution.
Which software is affected by CVE-2007-6284?
CVE-2007-6284 affects various versions of Debian Linux (3.1 and 4.0) and Mandrake Linux (2007 and 2008).
What causes the issue in CVE-2007-6284?
The issue in CVE-2007-6284 is due to the xmlCurrentChar() function in libxml not validating UTF-8 encoding correctly.
Can CVE-2007-6284 be exploited remotely?
Yes, CVE-2007-6284 can be exploited remotely if a malicious user sends specially crafted UTF-8 data to an application using the affected libxml library.