Bug 281446

Summary:	<dev-libs/libxml-1.8.17-r4: Multiple vulnerabilities (CVE-2004-{0110,0989}, CVE-2009-{2414,2416})
Product:	Gentoo Security	Reporter:	Robert Buchholz (RETIRED) <rbu>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED OBSOLETE
Severity:	normal	CC:	leio, vostorga
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B2 [noglsa]
Package list:		Runtime testing required:	---
Bug Depends on:	281444
Bug Blocks:

Description Robert Buchholz (RETIRED) gentoo-dev

2009-08-14 09:27:56 UTC

+++ This bug was initially created as a clone of Bug #280617 +++

Jukka Taimisto and Rauli Kaksonen from the CROSS project at Codenomicon reported the following vulnerabilities:
* Multiple pointer use-after-free flaws CVE-2009-2416
* Stack oveeflow when parsing recursive XML structures CVE-2009-2414

Furthermore, we missed patches for CVE-2004-0110 and CVE-2004-0989 that were needed for libxml-1 as well. Thanks to Victor Ostorga for noting that.

Since we never audited libxml for issues in libxml2, I wonder what the status of these CVEs is:
* CVE-2008-4409
* CVE-2008-4226
* CVE-2008-4225
* CVE-2008-3529
* CVE-2008-3281 and the original CVE-2003-1564
* CVE-2007-6284

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2010-01-18 17:08:33 UTC

to be masked for removal

Comment 2 Samuli Suominen (RETIRED) gentoo-dev

2010-03-18 13:16:18 UTC

It's masked now

Comment 3 Samuli Suominen (RETIRED) gentoo-dev

2010-04-20 16:14:43 UTC

(In reply to comment #2)
> It's masked now
> 

and also removed. feel free to handle this bug as you see fit.

Comment 4 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2011-01-10 12:21:45 UTC

The package is no longer in the tree. Should we make a decision about GLSA for those users who might still have it installed?

Comment 5 Tim Sammut (RETIRED) gentoo-dev

2011-01-11 00:35:22 UTC

No vote required as this was rated B2. Request filed.

Comment 6 Sergey Popov gentoo-dev

2013-08-28 07:39:18 UTC

Two years old, package is gone from tree. Closing as OBSOLETE