{"id":"MGASA-2019-0159","summary":"Updated mxml packages fix security vulnerabilities","details":"Updated mxml packages fix security vulnerabilities:\n\nAn issue has been found in Mini-XML (aka mxml) 2.12. It is a stack-based\nbuffer overflow in mxml_write_node in mxml-file.c via vectors involving\na double-precision floating point number and the '\u003corder type=\"real\"\u003e'\nsubstring, as demonstrated by testmxml (CVE-2018-20004).\n\nAn issue has been found in Mini-XML (aka mxml) 2.12. It is a\nuse-after-free in mxmlWalkNext in mxml-search.c, as demonstrated by\nmxmldoc (CVE-2018-20005).\n\nIn Mini-XML (aka mxml) v2.12, there is a use-after-free in the mxmlAdd\nfunction of the mxml-node.c file. Remote attackers could leverage this\nvulnerability to cause a denial-of-service via a crafted xml file, as\ndemonstrated by mxmldoc (CVE-2018-20592).\n\nIn Mini-XML (aka mxml) v2.12, there is stack-based buffer overflow in\nthe scan_file function in mxmldoc.c (CVE-2018-20593).\n","modified":"2026-04-16T04:43:10.700987994Z","published":"2019-05-12T09:35:33Z","upstream":["CVE-2018-20004","CVE-2018-20005","CVE-2018-20592","CVE-2018-20593"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2019-0159.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=24583"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/N53IJHDYR5HVQLKH4J6B27OEQLGKSGY5/"}],"affected":[{"package":{"name":"mxml","ecosystem":"Mageia:6","purl":"pkg:rpm/mageia/mxml?arch=source&distro=mageia-6"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.0-1.mga6"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2019-0159.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}