Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 905399 - <dev-libs/libxml2-2.11.1: Multiple vulnerabilities
Summary: <dev-libs/libxml2-2.11.1: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa+]
Keywords:
Depends on: 906088 906095 906124 906206 906227 906309 906641 907226 907384 909634
Blocks:
  Show dependency tree
 
Reported: 2023-05-01 06:21 UTC by Sam James
Modified: 2024-02-09 09:39 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-05-01 06:21:35 UTC 
From NEWS:
"""
+v2.11.0: Apr 28 2023
+
+### Major changes
+
+Protection against entity expansion attacks, also known as "billion laughs"
+has been greatly improved. Malicious files should be detected reliably now
+and false positives should be reduced. It is possible though that large
+documents which make heavy use of entities are rejected now.
+
[...]
+### Security
+
+- Fix use-after-free in xmlParseContentInternal() (David Kilzer)
+- xmllint: Fix use-after-free with --maxmem
+- parser: Fix OOB read when formatting error message
+- entities: Rework entity amplification checks
[...]
"""
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-05-01 06:22:06 UTC 
This version is currently masked for testing.

Alpine already had to fix a bunch of test failures (or skip stuff for now).

# Sam James <sam@gentoo.org> (2023-05-01)
# Masked for testing. Other distros seem to have hit a bunch of new test
# failures in various applications, and initially there were ABI issues in .0.
>=dev-libs/libxml2-2.11.0
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-05-10 19:45:57 UTC 
commit 9b2ad65342b2445a38775260e7f4497d06466ee4
Author: Sam James <sam@gentoo.org>
Date:   Wed May 10 20:33:44 2023 +0100

    profiles: unmask new libxml2

    Seems to have fixed the python bindings issue too: https://gitlab.gnome.org/GNOME/libxml2/-/commit/76c6da420923f2721a2e16adfcef8707a2454a1b.

    Closes: https://bugs.gentoo.org/745162
    Signed-off-by: Sam James <sam@gentoo.org>
Comment 3 Larry the Git Cow gentoo-dev 2023-05-19 00:30:34 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=64f596cbb52d0955503281d6998154eacb48d065

commit 64f596cbb52d0955503281d6998154eacb48d065
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-05-19 00:29:27 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-05-19 00:29:27 +0000

    dev-libs/libxml2: add 2.11.4
    
    This _might_ fix the LibreOffice issue.
    
    Bug: https://bugs.gentoo.org/905399
    Bug: https://bugs.gentoo.org/906206
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/libxml2/Manifest              |   1 +
 dev-libs/libxml2/libxml2-2.11.4.ebuild | 195 +++++++++++++++++++++++++++++++++
 2 files changed, 196 insertions(+)
Comment 4 Larry the Git Cow gentoo-dev 2023-05-20 07:18:42 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=74742dfaadb00f833e7c786c9ea99e0c5e165176

commit 74742dfaadb00f833e7c786c9ea99e0c5e165176
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-05-20 07:17:48 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-05-20 07:17:48 +0000

    profiles: mask intermediate bad libxml2-2.11.* (before <2.11.4)
    
    >=2.11.4 is fine, just 2.11.1 up to 2.11.3 were buggy. Mask to avoid
    confusing bug reports.
    
    Bug: https://bugs.gentoo.org/906206
    Bug: https://bugs.gentoo.org/905399
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/package.mask | 7 +++++++
 1 file changed, 7 insertions(+)
Comment 5 Hans de Graaff gentoo-dev Security 2023-12-02 09:04:37 UTC 
I've just removed the dev-ruby/nokogiri versions that required libxml-2.10 specifically, so the vulnerable versions can now be removed.
Comment 6 Larry the Git Cow gentoo-dev 2023-12-28 03:43:02 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=889ba46a2e07a740429cf26c3472ba6f6d527a2f

commit 889ba46a2e07a740429cf26c3472ba6f6d527a2f
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-12-28 03:37:49 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-12-28 03:37:49 +0000

    dev-libs/libxml2: drop 2.10.4, 2.11.4
    
    Bug: https://bugs.gentoo.org/905399
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/libxml2/Manifest              |   2 -
 dev-libs/libxml2/libxml2-2.10.4.ebuild | 203 ---------------------------------
 dev-libs/libxml2/libxml2-2.11.4.ebuild | 202 --------------------------------
 3 files changed, 407 deletions(-)
Comment 7 Larry the Git Cow gentoo-dev 2024-02-09 09:37:30 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=e85e47ba7c520c0a553d527c33c5c297cb8ff286

commit e85e47ba7c520c0a553d527c33c5c297cb8ff286
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-02-09 09:36:36 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-02-09 09:37:22 +0000

    [ GLSA 202402-11 ] libxml2: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/904202
    Bug: https://bugs.gentoo.org/905399
    Bug: https://bugs.gentoo.org/915351
    Bug: https://bugs.gentoo.org/923806
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202402-11.xml | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)