Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 444836 (CVE-2012-5134) - <dev-libs/libxml2-2.8.0-r3: buffer underflow (CVE-2012-5134)
Summary: <dev-libs/libxml2-2.8.0-r3: buffer underflow (CVE-2012-5134)
Status: RESOLVED FIXED
Alias: CVE-2012-5134
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://googlechromereleases.blogspot....
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-11-26 19:02 UTC by Mike Gilbert
Modified: 2013-11-10 15:18 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mike Gilbert gentoo-dev 2012-11-26 19:02:17 UTC 
I don't have any details, just a brief mention in the Google Chrome release notes. See URL.
Comment 2 Alexandre Rostovtsev (RETIRED) gentoo-dev 2012-11-26 19:52:54 UTC 
Fixed in 2.8.0-r3; thanks for noticing the vulnerability report!

>*libxml2-2.8.0-r3 (26 Nov 2012)
>
>  26 Nov 2012; Alexandre Rostovtsev <tetromino@gentoo.org>
>  +libxml2-2.8.0-r3.ebuild,
>  +files/libxml2-2.8.0-xmlParseAttValueComplex-underflow.patch:
>  Fix buffer underflow (bug #444836, CVE-2012-5134, thanks to Mike Gilbert).
Comment 3 Agostino Sarubbo gentoo-dev 2012-11-26 19:54:58 UTC 
Arches, please test and mark stable:
=dev-libs/libxml2-2.8.0-r3
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 4 Dan Dexter 2012-11-27 01:28:19 UTC 
Archtested on x86: Everything OK.
- Compiles successfully with all USE-flag combinations, test phase passes.
- Various rdeps successfully compile against =dev-libs/libxml2-2.8.0-r3.
- Repoman reports no warnings that need addressing.
- Verified library functionality through runtime testing of various packages that depend on libxml2, no discrepancies found.
Comment 5 Agostino Sarubbo gentoo-dev 2012-11-27 12:19:04 UTC 
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2012-11-27 12:20:13 UTC 
x86 stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2012-11-27 16:49:08 UTC 
Stable for HPPA.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2012-11-28 22:42:29 UTC 
CVE-2012-5134 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5134):
  Heap-based buffer underflow in the xmlParseAttValueComplex function in
  parser.c in libxml2 2.9.0 and earlier, as used in Google Chrome before
  23.0.1271.91, allows remote attackers to cause a denial of service or
  possibly execute arbitrary code via crafted entities in an XML document.
Comment 9 Agostino Sarubbo gentoo-dev 2012-11-29 17:00:35 UTC 
ppc stable
Comment 10 Markus Meier gentoo-dev 2012-12-02 10:49:25 UTC 
arm stable
Comment 11 Agostino Sarubbo gentoo-dev 2012-12-02 20:09:01 UTC 
ppc64 stable
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2012-12-15 17:43:22 UTC 
alpha/ia64/m68k/s390/sh/sparc stable
Comment 13 Sean Amoss (RETIRED) gentoo-dev Security 2012-12-16 15:10:55 UTC 
Thanks, everyone.

Updated existing GLSA draft.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2013-11-10 15:18:58 UTC 
This issue was resolved and addressed in
 GLSA 201311-06 at http://security.gentoo.org/glsa/glsa-201311-06.xml
by GLSA coordinator Sean Amoss (ackle).