Summary: | net-libs/libtlen bundles its internal (forked?) copy of libexpat | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Diego Elio Pettenò (RETIRED) <flameeyes> |
Component: | New packages | Assignee: | Marcin Jurczuk <spock> |
Status: | RESOLVED WONTFIX | ||
Severity: | normal | CC: | esigra, qa, security, seemant, treecleaner |
Priority: | High | Keywords: | PMASKED |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | Pending Removal: 2012-07-16 | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 251464, 280615, 303727, 407519, 421423 |
Description
Diego Elio Pettenò (RETIRED)
2008-12-18 09:59:49 UTC
(In reply to comment #0) > Not so nice at all. > Indeed. CVE-2009-2625 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2625): Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework. ^ This is really a expat vuln, wrt bug 280615 CVE-2009-3560 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3560): The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with malformed UTF-8 sequences that trigger a buffer over-read, related to the doProlog function in lib/xmlparse.c, a different vulnerability than CVE-2009-2625 and CVE-2009-3720. Seemant, you are marked listed in metadata.xml as proxy-maintainer. Lastrite, or fix? dropped |