From $URL: XPATH is a language querying content from XML documents. The vulnerability lies in the module processing this query language. Specifically, libxml2 does not well process a malformed XPATH, causing crash. To exploit this vulnerability, hacker may send user a link containing malicious XPATH. When user opens this link, the malicious code will be executed, attacking user’s system. The Red Hat bug (https://bugzilla.redhat.com/show_bug.cgi?id=645341) lists two upstream commits as fixing the issue: http://git.gnome.org/browse/libxml2/commit/?id=91d19754d46acd4a639a8b9e31f50f31c78f8c9c http://git.gnome.org/browse/libxml2/commit/?id=ea90b894146030c214a7df6d8375310174f134b9 In any case, 2.7.8 has been released and is fixed.
If you do use 2.7.8 do add the patch from: http://git.gnome.org/browse/libxml2/commit/?id=00819877651b87842ed878898ba17dba489820f0 http://mail.gnome.org/archives/xml/2010-November/msg00016.html else a lot of complaints like: /usr/lib/libxml2.so.2: no version information available
(In reply to comment #1) > else a lot of complaints like: > /usr/lib/libxml2.so.2: no version information available > Yes, I tried to bump libxml2 some days ago but these messages prevented me from committing it :-S, hopefully any other gnome team member will know where could be the problem :-/
Another libxml2 vulnerability has been announced. CVE-2010-4494 is for a Double Free vulnerability in libxml2 through 2.7.8. Upstream fixes at: http://git.gnome.org/browse/libxml2/commit/?id=df83c17e5a2646bd923f75e5e507bc80d73c9722 and http://git.gnome.org/browse/libxml2/commit/?id=fec31bcd452e77c10579467ca87a785b41115de6
*** Bug 351954 has been marked as a duplicate of this bug. ***
*** Bug 353208 has been marked as a duplicate of this bug. ***
Bumped
(In reply to comment #6) > Bumped > Awesome, thank you. Arches, please test and mark stable: =dev-libs/libxml2-2.7.8 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
x86 stable
amd64 done
alpha/arm/ia64/m68k/s390/sh/sparc stable
Stable for HPPA, despite: ebuild.minorsyn 1 dev-libs/libxml2/libxml2-2.7.8.ebuild: Unquoted Variable on line: 100
ppc/ppc64 stable, last arch done
Thanks, everyone. GLSA request filed.
this bug perhaps needs to be closed, fixed, in tree
This issue was resolved and addressed in GLSA 201110-26 at http://security.gentoo.org/glsa/glsa-201110-26.xml by GLSA coordinator Tim Sammut (underling).
CVE-2010-4008 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4008): libxml2 before 2.7.8, as used in Google Chrome before 7.0.517.44, Apple Safari 5.0.2 and earlier, and other products, reads from invalid memory locations during processing of malformed XPath expressions, which allows context-dependent attackers to cause a denial of service (application crash) via a crafted XML document.
CVE-2010-4494 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4494): Double free vulnerability in libxml2 2.7.8 and other versions, as used in Google Chrome before 8.0.552.215 and other products, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to XPath handling.