Comment 1 GLSAMaker/CVETool Bot 2012-05-20 23:18:25 UTC

CVE-2011-3102 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3102):
  Off-by-one error in libxml2, as used in Google Chrome before 19.0.1084.46,
  allows remote attackers to cause a denial of service (out-of-bounds write)
  or possibly have unspecified other impact via unknown vectors.

Comment 2 Alexandre Rostovtsev (RETIRED) 2012-05-21 02:25:22 UTC

Fixed in libxml2-2.8.0_rc1 (the libxml2 upstream is finally on its way to making a new release)

>*libxml2-2.8.0_rc1 (21 May 2012)
>
>  21 May 2012; Alexandre Rostovtsev <tetromino@gentoo.org>
>  -libxml2-2.7.8-r4.ebuild, +libxml2-2.8.0_rc1.ebuild,
>  +files/libxml2-2.8.0_rc1-randomization-threads.patch,
>  +files/libxml2-2.8.0_rc1-winnt.patch:
>  Version bump with numerous bugfixes, including for bug #416209 (out-of-bounds
>  write, CVE-2011-3102, thanks to Paweł Hajdan, Jr.). Drop old.

Comment 3 Tim Sammut (RETIRED) 2012-05-21 06:58:16 UTC

Thanks. Just to make sure since this isn't a full release, are we moving to stabilize libxml2-2.8.0_rc1 now?

Comment 4 Alexandre Rostovtsev (RETIRED) 2012-05-21 07:11:00 UTC

(In reply to comment #3)
> Thanks. Just to make sure since this isn't a full release, are we moving to
> stabilize libxml2-2.8.0_rc1 now?

It would be my recommendation. The git changelog between 2.7.8 and 2.8.0-rc1 basically consists of fixes for various parser errors, crashes, infinite loops, memory leaks, and security holes; the only new features are support for lzma compression and <meta charset>.

Comment 5 Tim Sammut (RETIRED) 2012-05-21 07:13:43 UTC

Ok, thanks; then on we go. ;)

Arches, please test and mark stable:
=dev-libs/libxml2-2.8.0_rc1
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

Comment 6 Brent Baude (RETIRED) 2012-05-21 17:28:44 UTC

ppc done

Comment 7 Jeff (JD) Horelick (RETIRED) 2012-05-21 19:09:31 UTC

x86 stable

Comment 8 Agostino Sarubbo 2012-05-21 20:40:00 UTC

amd64 stable

Comment 9 Jeroen Roovers (RETIRED) 2012-05-22 14:02:51 UTC

Stable for HPPA.

libxml2-2.8.0-rc1.tar.gz is no longer available at ftp://xmlsoft.org/libxml2/
pls update to rc2

Comment 11 Alexandre Rostovtsev (RETIRED) 2012-05-25 07:14:07 UTC

(In reply to comment #10)

Fixed, thanks for noticing!

>*libxml2-2.8.0 (25 May 2012)
>
>  25 May 2012; Alexandre Rostovtsev <tetromino@gentoo.org>
>  libxml2-2.8.0_rc1.ebuild, +libxml2-2.8.0.ebuild:
>  Version bump to 2.8.0 final. Point rc1's SRC_URI at Gentoo mirrors since the
>  rc1 tarball is no longer available from upstream (bug #416209 comment #10)..

Comment 12 Markus Meier 2012-05-26 10:17:19 UTC

arm stable

Comment 13 Raúl Porcel (RETIRED) 2012-05-26 17:23:12 UTC

alpha/ia64/m68k/s390/sh/sparc stable

Comment 14 Brent Baude (RETIRED) 2012-05-29 15:32:32 UTC

ppc64 done

Comment 15 Tim Sammut (RETIRED) 2012-05-29 22:42:43 UTC

Thanks, folks. GLSA request filed.

Comment 16 GLSAMaker/CVETool Bot 2012-07-09 22:16:48 UTC

This issue was resolved and addressed in
 GLSA 201207-02 at http://security.gentoo.org/glsa/glsa-201207-02.xml
by GLSA coordinator Sean Amoss (ackle).