694362 – (CVE-2019-15903) <dev-libs/expat-2.2.8: heap-based buffer over-read via crafted XML input (CVE-2019-15903)

Bug 694362 (CVE-2019-15903) - <dev-libs/expat-2.2.8: heap-based buffer over-read via crafted XML input (CVE-2019-15903)

Summary: <dev-libs/expat-2.2.8: heap-based buffer over-read via crafted XML input (CVE...

Status:	RESOLVED FIXED

Alias:	CVE-2019-15903

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://cve.mitre.org/cgi-bin/cvename...
Whiteboard:	A3 [glsa+ cve]
Keywords:

Depends on:
Blocks:

Reported:	2019-09-14 13:44 UTC by Sebastian Pipping
Modified:	2019-11-25 00:19 UTC (History)
CC List:	0 users

See Also:
Package list:	=dev-libs/expat-2.2.8
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sebastian Pipping gentoo-dev

2019-09-14 13:44:14 UTC

I think we should stabilize 2.2.8 to get our users on safe ground.

Comment 1 Stabilization helper bot gentoo-dev

2019-09-14 13:59:38 UTC

An automated check of this bug failed - repoman reported dependency errors (6 lines truncated): 

> dependency.bad dev-libs/expat/expat-2.2.8.ebuild: BDEPEND: arm64(default/linux/arm64/17.0) ['app-text/docbook2X']
> dependency.bad dev-libs/expat/expat-2.2.8.ebuild: BDEPEND: arm64(default/linux/arm64/17.0/desktop) ['app-text/docbook2X']
> dependency.bad dev-libs/expat/expat-2.2.8.ebuild: BDEPEND: arm64(default/linux/arm64/17.0/desktop/gnome) ['app-text/docbook2X']

Comment 2 Sebastian Pipping gentoo-dev

2019-09-14 18:34:47 UTC

(In reply to Stabilization helper bot from comment #1)
> An automated check of this bug failed - repoman reported dependency errors
> (6 lines truncated): 
> 
> > dependency.bad dev-libs/expat/expat-2.2.8.ebuild: BDEPEND: arm64(default/linux/arm64/17.0) ['app-text/docbook2X']
> > dependency.bad dev-libs/expat/expat-2.2.8.ebuild: BDEPEND: arm64(default/linux/arm64/17.0/desktop) ['app-text/docbook2X']
> > dependency.bad dev-libs/expat/expat-2.2.8.ebuild: BDEPEND: arm64(default/linux/arm64/17.0/desktop/gnome) ['app-text/docbook2X']

Give me a second, I have an idea how to drop that dependency again...

Comment 3 Larry the Git Cow gentoo-dev

2019-09-14 18:39:27 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a3857d108c142a4bf4d69df8fcf1e9d46c6b6609

commit a3857d108c142a4bf4d69df8fcf1e9d46c6b6609
Author:     Sebastian Pipping <sping@gentoo.org>
AuthorDate: 2019-09-14 18:38:29 +0000
Commit:     Sebastian Pipping <sping@gentoo.org>
CommitDate: 2019-09-14 18:38:39 +0000

    dev-libs/expat: Make use of shipped pre-compiled man page
    
    Bug: https://bugs.gentoo.org/694362
    Signed-off-by: Sebastian Pipping <sping@gentoo.org>
    Package-Manager: Portage-2.3.68, Repoman-2.3.16

 dev-libs/expat/expat-2.2.8.ebuild | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

Comment 4 Sebastian Pipping gentoo-dev

2019-09-14 18:40:23 UTC

Done :)

Comment 5 Rolf Eike Beer archtester

2019-09-14 23:39:09 UTC

hppa/sparc stable

Comment 6 Stabilization helper bot gentoo-dev

2019-09-15 00:02:18 UTC

An automated check of this bug succeeded - the previous repoman errors are now resolved.

Comment 7 Aaron Bauman (RETIRED) gentoo-dev

2019-09-15 03:51:27 UTC

arm64 stable

Comment 8 Agostino Sarubbo gentoo-dev

2019-09-16 07:56:30 UTC

x86 stable

Comment 9 Agostino Sarubbo gentoo-dev

2019-09-16 07:57:36 UTC

amd64 stable

Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev

2019-09-16 22:10:40 UTC

ia64/ppc/ppc64 stable

Comment 11 Agostino Sarubbo gentoo-dev

2019-09-20 12:10:17 UTC

s390 stable

Comment 12 Matt Turner gentoo-dev

2019-09-21 01:00:27 UTC

alpha stable

Comment 13 Thomas Deutschmann (RETIRED) gentoo-dev

2019-09-24 11:39:40 UTC

New GLSA request filed.

Comment 14 Mikle Kolyada (RETIRED) archtester

2019-09-26 20:03:05 UTC

arm stable

Comment 15 Thomas Deutschmann (RETIRED) gentoo-dev

2019-10-25 11:28:47 UTC

@ maintainer(s): Please cleanup and drop <dev-libs/expat-2.2.8!

Comment 16 Larry the Git Cow gentoo-dev

2019-10-26 10:44:24 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8a865e40bcced3a011bfaf0f48e8e3ca24720121

commit 8a865e40bcced3a011bfaf0f48e8e3ca24720121
Author:     Sebastian Pipping <sping@gentoo.org>
AuthorDate: 2019-10-26 10:43:19 +0000
Commit:     Sebastian Pipping <sping@gentoo.org>
CommitDate: 2019-10-26 10:44:11 +0000

    dev-libs/expat: Remove vulnerable
    
    Bug: https://bugs.gentoo.org/694362
    Signed-off-by: Sebastian Pipping <sping@gentoo.org>
    Package-Manager: Portage-2.3.68, Repoman-2.3.16

 dev-libs/expat/Manifest           |  2 -
 dev-libs/expat/expat-2.2.6.ebuild | 97 ---------------------------------------
 dev-libs/expat/expat-2.2.7.ebuild | 96 --------------------------------------
 3 files changed, 195 deletions(-)

Comment 17 GLSAMaker/CVETool Bot gentoo-dev

2019-11-25 00:19:28 UTC

This issue was resolved and addressed in
 GLSA 201911-08 at https://security.gentoo.org/glsa/201911-08
by GLSA coordinator Aaron Bauman (b-man).