It was found that the hashing routine used by libxml2 arrays was susceptible to predictable hash collisions. Sending a specially-crafted message to an XML service could result in longer processing time, which could lead to a denial of service. Advisory Info: https://rhn.redhat.com/errata/RHSA-2012-0324.html Upstream Commit: http://git.gnome.org/browse/libxml2/commit/?id=8973d58b7498fa5100a876815476b81fd1a2412a
Fixed in 2.7.8-r5, thanks for reporting. >*libxml2-2.7.8-r5 (23 Feb 2012) > > 23 Feb 2012; Alexandre Rostovtsev <tetromino@gentoo.org> > -libxml2-2.7.8-r1.ebuild, -libxml2-2.7.8-r2.ebuild, -libxml2-2.7.8-r3.ebuild, > +libxml2-2.7.8-r5.ebuild, +files/libxml2-2.7.8-hash-randomization.patch: > Add hashing randomization to prevent DoS vulnerability (CVE-2012-0841, bug > #405261, thanks to Michael Harrison for reporting). Drop old.
(In reply to comment #1) > Fixed in 2.7.8-r5, thanks for reporting. > Thank you. Arches, please test and mark stable: =dev-libs/libxml2-2.7.8-r5 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Stable for HPPA.
amd64 stable
ppc done
Archtested on x86: Everything OK. Compiles without issue, RDEPS successfully linked to libxml2 and tested xml functionality of a few applications.
x86 stable, thanks Dan
Stable on alpha.
ppc64 done
arm/ia64/m68k/s390/sh/sparc stable
Thanks, folks. GLSA Vote: yes.
Vote: yes. GLSA request filed.
This issue was resolved and addressed in GLSA 201203-04 at http://security.gentoo.org/glsa/glsa-201203-04.xml by GLSA coordinator Sean Amoss (ackle).