Comment 1 Dirkjan Ochtman (RETIRED) 2013-02-20 10:12:12 UTC

Looks like part of this originates with dev-libs/libxml2.

Comment 2 Alexandre Rostovtsev (RETIRED) 2013-02-20 14:58:04 UTC

The libxml2 side of things is fixed by dev-libs/libxml2-2.9.0-r2, which needs to be stabilized. (Note: please stabilize evolution-data-server-2.32.3-r3 at the same time - see bug #448798)

+*libxml2-2.9.0-r2 (20 Feb 2013)
+
+  20 Feb 2013; Alexandre Rostovtsev <tetromino@gentoo.org>
+  -libxml2-2.9.0.ebuild, +libxml2-2.9.0-r2.ebuild,
+  +files/libxml2-2.9.0-excessive-entity-expansion.patch:
+  Fix entity expansion DoS vulnerability (CVE-2013-1664, bug #458430, thanks to
+  Dirkjan Ochtman). Drop old.

Comment 3 Pacho Ramos 2013-02-20 20:50:17 UTC

Alexandre, is dev-libs/libxml2-2.9 ready for Gnome 2.32? I am still running 2.8 because I read a comment from some gnome herd member (I don't remember who :S) suggesting to wait for Gnome3 for using libxml-2.9 :/

Comment 4 Alexandre Rostovtsev (RETIRED) 2013-02-20 21:20:59 UTC

(In reply to comment #3)
> Alexandre, is dev-libs/libxml2-2.9 ready for Gnome 2.32? I am still running
> 2.8 because I read a comment from some gnome herd member (I don't remember
> who :S) suggesting to wait for Gnome3 for using libxml-2.9 :/

The only gnome-2.32 package that I know which used the old libxml2 buffer API is evolution-data-server, and I've fixed it by backporting the libxml2-2.9 compatibility patch from 3.6 to evolution-data-server-2.32.3-r3. If some other packages are affected, we can apply the same basic for fix them.

libxml2-2.9 has been unmasked for two months, and the only bug still open for it is games-rpg/eternal-lands (bug #449352) which doesn't have any stable versions in portage and so does not block libxml2-2.9.x stabilization.

Comment 5 Pacho Ramos 2013-02-24 18:04:33 UTC

CCing arches to stabilize libxml2-2.9.0-r2

Comment 6 Jeroen Roovers (RETIRED) 2013-02-24 20:45:13 UTC

(In reply to comment #5)
> CCing arches to stabilize libxml2-2.9.0-r2

No, like this, please:

Arch teams, please test and mark stable:
=dev-libs/libxml2-2.9.0-r2
Stable KEYWORDS : alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86

Comment 7 Jeroen Roovers (RETIRED) 2013-02-24 22:10:23 UTC

Stable for HPPA.

Comment 8 Agostino Sarubbo 2013-02-25 12:09:21 UTC

amd64 stable

Comment 9 Agostino Sarubbo 2013-02-25 12:09:39 UTC

x86 stable

Comment 10 Agostino Sarubbo 2013-02-25 21:50:32 UTC

ppc stable

Comment 11 Agostino Sarubbo 2013-02-25 22:12:38 UTC

ppc64 stable

Comment 12 Agostino Sarubbo 2013-02-26 10:21:17 UTC

alpha stable

Comment 13 Agostino Sarubbo 2013-02-26 11:51:03 UTC

ia64 stable

Comment 14 Agostino Sarubbo 2013-02-26 12:00:30 UTC

arm stable

Comment 15 Agostino Sarubbo 2013-02-26 13:13:20 UTC

sparc stable

Comment 16 Agostino Sarubbo 2013-02-26 14:55:01 UTC

s390 stable

Comment 17 Agostino Sarubbo 2013-03-01 12:40:59 UTC

sh stable

Comment 18 Tobias Heinlein (RETIRED) 2013-03-24 19:54:49 UTC

Added to existing draft.

Comment 19 Agostino Sarubbo 2013-03-25 16:05:43 UTC

missing m68k

Comment 20 GLSAMaker/CVETool Bot 2013-04-11 16:41:22 UTC

CVE-2013-1664 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1664):
  OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and
  Folsom; and Cinder Folsom allows remote attackers to cause a denial of
  service (resource consumption and crash) via an XML Entity Expansion (XEE)
  attack.

Comment 21 Agostino Sarubbo 2013-09-28 20:54:24 UTC

M68K is not anymore a stable arch, removing it from the cc list

Comment 22 GLSAMaker/CVETool Bot 2013-11-10 15:19:00 UTC

This issue was resolved and addressed in
 GLSA 201311-06 at http://security.gentoo.org/glsa/glsa-201311-06.xml
by GLSA coordinator Sean Amoss (ackle).