Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 407519 (CVE-2012-0876)

Summary: <dev-libs/expat-2.1.0_beta3 : Multiple vulnerabilities (CVE-2012-{0876,1147,1148})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: freedesktop-bugs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 253517, 250930, 251433, 251875, 255909, 407561    
Bug Blocks: 396397    
Attachments:
Description Flags
These reverse deps that must keep working none

Comment 1 Samuli Suominen (RETIRED) gentoo-dev 2012-03-09 13:22:59 UTC
expat-2.1.0_beta2 now in CVS but it's without KEYWORDS and I'm asking bonsaikitten and/or flameeyes for a tinderbox run before adding KEYWORDS

so stay tuned...
Comment 2 Agostino Sarubbo gentoo-dev 2012-03-09 13:37:23 UTC
(In reply to comment #1)
> expat-2.1.0_beta2 now in CVS but it's without KEYWORDS and I'm asking
> bonsaikitten and/or flameeyes for a tinderbox run before adding KEYWORDS
> 
> so stay tuned...

thanks for rapid bump :)
Comment 3 Samuli Suominen (RETIRED) gentoo-dev 2012-03-09 13:42:20 UTC
Created attachment 304725 [details]
These reverse deps that must keep working

The default profile flags + USE="expat bluetooth webdav" enabled if this list still builds and everything still appears to be working, it should be OK
Comment 4 Samuli Suominen (RETIRED) gentoo-dev 2012-03-19 07:13:17 UTC
Since dropping beta3 to ~arch I haven't seen any problems related to expat and/or XML parsing. 

I think this it's safe to proceed here now with caution.

Test (including reverse deps!) & stabilize:

=dev-libs/expat-2.1.0_beta3 "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2012-03-21 21:57:04 UTC
Stable for HPPA.
Comment 6 Agostino Sarubbo gentoo-dev 2012-03-23 10:31:59 UTC
amd64 stable
Comment 7 Brent Baude (RETIRED) gentoo-dev 2012-03-25 14:20:44 UTC
ppc done
Comment 8 Brent Baude (RETIRED) gentoo-dev 2012-03-25 14:49:52 UTC
ppc64 done
Comment 9 Markus Meier gentoo-dev 2012-03-28 05:42:34 UTC
arm stable
Comment 10 Samuli Suominen (RETIRED) gentoo-dev 2012-03-28 12:14:09 UTC
2.1.0 was released but I think we can continue with stabilizing 2.1.0_beta3 since it should solve all the sec bugs and get 2.1.0 in 30 days as normal ...
Comment 11 Andreas Schürch gentoo-dev 2012-04-04 17:54:54 UTC
x86 stable
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2012-04-08 14:56:35 UTC
alpha/ia64/m68k/s390/sh/sparc stable
Comment 13 Tim Sammut (RETIRED) gentoo-dev 2012-04-08 15:23:55 UTC
Thanks, everyone. GLSA Vote: yes.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2012-07-13 21:23:57 UTC
CVE-2012-1148 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1148):
  Memory leak in the poolGrow function in expat/lib/xmlparse.c in expat before
  2.1.0 allows context-dependent attackers to cause a denial of service
  (memory consumption) via a large number of crafted XML files that cause
  improperly-handled reallocation failures when expanding entities.

CVE-2012-1147 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1147):
  readfilemap.c in expat before 2.1.0 allows context-dependent attackers to
  cause a denial of service (file descriptor consumption) via a large number
  of crafted XML files.

CVE-2012-0876 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0876):
  The XML parser (xmlparse.c) in expat before 2.1.0 computes hash values
  without restricting the ability to trigger hash collisions predictably,
  which allows context-dependent attackers to cause a denial of service (CPU
  consumption) via an XML file with many identifiers with the same value.
Comment 15 Tobias Heinlein (RETIRED) gentoo-dev 2012-08-14 16:06:18 UTC
YES too, request filed.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2012-09-24 11:04:32 UTC
This issue was resolved and addressed in
 GLSA 201209-06 at http://security.gentoo.org/glsa/glsa-201209-06.xml
by GLSA coordinator Sean Amoss (ackle).