Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 250929 - dev-lisp/cl-albert contains an internal copy of expat
Summary: dev-lisp/cl-albert contains an internal copy of expat
Status: RESOLVED WONTFIX
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High normal
Assignee: Gentoo TreeCleaner Project
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: bundled-libs CVE-2009-3720
  Show dependency tree
 
Reported: 2008-12-14 13:43 UTC by Diego Elio Pettenò (RETIRED)
Modified: 2010-04-06 17:39 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Diego Elio Pettenò (RETIRED) gentoo-dev 2008-12-14 13:43:01 UTC
I cannot say which version because some files were removed, would be nice if upstream made it possible to use a system library though.
Comment 1 Marijn Schouten (RETIRED) gentoo-dev 2009-08-24 09:06:25 UTC
I wouldn't be sad if someone killed cl-albert.
Comment 2 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2010-01-09 17:53:46 UTC
(In reply to comment #1)
> I wouldn't be sad if someone killed cl-albert.
> 

Someone needs to fix it since it (may?) contain a security-vuln copy of expat. The time is near...
Comment 3 Ulrich Müller gentoo-dev 2010-01-09 19:00:27 UTC
Looks like everybody agrees on this one. Reassigning to treecleaners.
Comment 4 Samuli Suominen (RETIRED) gentoo-dev 2010-03-06 17:02:59 UTC
CVE-2009-2625 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2625):
  Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in
  JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20,
  and in other products, allows remote attackers to cause a denial of
  service (infinite loop and application hang) via malformed XML input,
  as demonstrated by the Codenomicon XML fuzzing framework.

^ This is really a expat vuln, wrt bug 280615

CVE-2009-3560 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3560):
  The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1,
  as used in the XML-Twig module for Perl, allows context-dependent
  attackers to cause a denial of service (application crash) via an XML
  document with malformed UTF-8 sequences that trigger a buffer
  over-read, related to the doProlog function in lib/xmlparse.c, a
  different vulnerability than CVE-2009-2625 and CVE-2009-3720.
Comment 5 Samuli Suominen (RETIRED) gentoo-dev 2010-04-06 17:39:10 UTC
Removed from tree.