Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 405261 (CVE-2012-0841)

Summary: <dev-libs/libxml2-2.7.8-r5: hash table collisions CPU usage DoS (CVE-2012-0841)
Product: Gentoo Security Reporter: Michael Harrison <n0idx80>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: gnome
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=787067
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 396397    

Description Michael Harrison 2012-02-22 11:30:02 UTC 
It was found that the hashing routine used by libxml2 arrays was
susceptible to predictable hash collisions. Sending a specially-crafted
message to an XML service could result in longer processing time, which
could lead to a denial of service.

Advisory Info:
https://rhn.redhat.com/errata/RHSA-2012-0324.html

Upstream Commit:
http://git.gnome.org/browse/libxml2/commit/?id=8973d58b7498fa5100a876815476b81fd1a2412a
Comment 1 Alexandre Rostovtsev (RETIRED) gentoo-dev 2012-02-23 01:01:10 UTC 
Fixed in 2.7.8-r5, thanks for reporting.

>*libxml2-2.7.8-r5 (23 Feb 2012)
>
>  23 Feb 2012; Alexandre Rostovtsev <tetromino@gentoo.org>
>  -libxml2-2.7.8-r1.ebuild, -libxml2-2.7.8-r2.ebuild, -libxml2-2.7.8-r3.ebuild,
>  +libxml2-2.7.8-r5.ebuild, +files/libxml2-2.7.8-hash-randomization.patch:
>  Add hashing randomization to prevent DoS vulnerability (CVE-2012-0841, bug
>  #405261, thanks to Michael Harrison for reporting). Drop old.
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2012-02-23 02:28:08 UTC 
(In reply to comment #1)
> Fixed in 2.7.8-r5, thanks for reporting.
> 

Thank you.

Arches, please test and mark stable:
=dev-libs/libxml2-2.7.8-r5
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2012-02-23 04:48:24 UTC 
Stable for HPPA.
Comment 4 Agostino Sarubbo gentoo-dev 2012-02-23 12:56:29 UTC 
amd64 stable
Comment 5 Brent Baude (RETIRED) gentoo-dev 2012-02-28 20:21:05 UTC 
ppc done
Comment 6 Dan Dexter 2012-02-29 00:32:10 UTC 
Archtested on x86: Everything OK.
Compiles without issue, RDEPS successfully linked to libxml2 and tested xml functionality of a few applications.
Comment 7 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-02-29 21:55:44 UTC 
x86 stable, thanks Dan
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2012-03-02 13:43:34 UTC 
Stable on alpha.
Comment 9 Brent Baude (RETIRED) gentoo-dev 2012-03-03 14:33:40 UTC 
ppc64 done
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2012-03-03 19:51:38 UTC 
arm/ia64/m68k/s390/sh/sparc stable
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2012-03-03 20:11:15 UTC 
Thanks, folks. GLSA Vote: yes.
Comment 12 Sean Amoss (RETIRED) gentoo-dev Security 2012-03-04 20:55:48 UTC 
Vote: yes. GLSA request filed.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2012-03-06 01:33:38 UTC 
This issue was resolved and addressed in
 GLSA 201203-04 at http://security.gentoo.org/glsa/glsa-201203-04.xml
by GLSA coordinator Sean Amoss (ackle).