CVE-2021-42260: TinyXML through 2.6.2 has an infinite loop in TiXmlParsingData::Stamp in tinyxmlparser.cpp via the TIXML_UTF_LEAD_0 case. It can be triggered by a crafted XML message and leads to a denial of service.
Patch at https://sourceforge.net/p/tinyxml/git/merge-requests/1/ (noticed via https://git.alpinelinux.org/aports/commit/?id=500b389842db6847ba02a51d9d3191e8bbab840f). See https://sourceforge.net/p/tinyxml/git/merge-requests/1/ too.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d139a435333edbdb81869e7d4b984a7535e9eda8 commit d139a435333edbdb81869e7d4b984a7535e9eda8 Author: Bernard Cafarelli <voyageur@gentoo.org> AuthorDate: 2023-08-27 08:42:10 +0000 Commit: Bernard Cafarelli <voyageur@gentoo.org> CommitDate: 2023-08-27 08:42:53 +0000 dev-libs/tinyxml: bump to add infinite loop patch Bug: https://bugs.gentoo.org/817863 Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org> .../files/tinyxml-2.6.2-CVE-2021-42260.patch | 23 ++++++++ dev-libs/tinyxml/tinyxml-2.6.2-r5.ebuild | 68 ++++++++++++++++++++++ 2 files changed, 91 insertions(+)
Thanks!
