Subject: [ASA-201803-23] xerces-c: arbitrary code execution Arch Linux Security Advisory ASA-201803-23 ========================================== Severity: High Date : 2018-03-25 CVE-ID : CVE-2017-12627 Package : xerces-c Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-644 Summary ======= The package xerces-c before version 3.2.1-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 3.2.1-1. # pacman -Syu "xerces-c>=3.2.1-1" The problem has been fixed upstream in version 3.2.1. Workaround ========== None. Description =========== The Xerces-C XML parser mishandles certain kinds of external DTD references, resulting in dereference of a NULL pointer while processing the path to the DTD. The bug allows for a denial of service attack in applications that allow DTD processing and do not prevent external DTD usage, and could conceivably result in remote code execution. Impact ====== A remote attacker might be able to cause a denial of service or execute arbitrary code by submitting a crafted XML document with an external DTD path to an application using a vulnerable version of the xerces-c parser. References ========== https://xerces.apache.org/xerces-c/secadv/CVE-2017-12627.txt https://security.archlinux.org/CVE-2017-12627