Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 281446

Summary: <dev-libs/libxml-1.8.17-r4: Multiple vulnerabilities (CVE-2004-{0110,0989}, CVE-2009-{2414,2416})
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED OBSOLETE    
Severity: normal CC: leio, vostorga
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 281444    
Bug Blocks:    

Description Robert Buchholz (RETIRED) gentoo-dev 2009-08-14 09:27:56 UTC 
+++ This bug was initially created as a clone of Bug #280617 +++

Jukka Taimisto and Rauli Kaksonen from the CROSS project at Codenomicon reported the following vulnerabilities:
* Multiple pointer use-after-free flaws CVE-2009-2416
* Stack oveeflow when parsing recursive XML structures CVE-2009-2414

Furthermore, we missed patches for CVE-2004-0110 and CVE-2004-0989 that were needed for libxml-1 as well. Thanks to Victor Ostorga for noting that.

Since we never audited libxml for issues in libxml2, I wonder what the status of these CVEs is:
* CVE-2008-4409
* CVE-2008-4226
* CVE-2008-4225
* CVE-2008-3529
* CVE-2008-3281 and the original CVE-2003-1564
* CVE-2007-6284
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2010-01-18 17:08:33 UTC 
to be masked for removal
Comment 2 Samuli Suominen (RETIRED) gentoo-dev 2010-03-18 13:16:18 UTC 
It's masked now
Comment 3 Samuli Suominen (RETIRED) gentoo-dev 2010-04-20 16:14:43 UTC 
(In reply to comment #2)
> It's masked now
> 

and also removed. feel free to handle this bug as you see fit.
Comment 4 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-01-10 12:21:45 UTC 
The package is no longer in the tree. Should we make a decision about GLSA for those users who might still have it installed?
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2011-01-11 00:35:22 UTC 
No vote required as this was rated B2. Request filed.
Comment 6 Sergey Popov (RETIRED) gentoo-dev 2013-08-28 07:39:18 UTC 
Two years old, package is gone from tree. Closing as OBSOLETE