Summary: | <dev-libs/libxml2-2.8.0_rc1: OOB write in xpointer.c (CVE-2011-3102) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Paweł Hajdan, Jr. (RETIRED) <phajdan.jr> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | barzog, gnome |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://code.google.com/p/chromium/issues/detail?id=125462 | ||
Whiteboard: | A2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Paweł Hajdan, Jr. (RETIRED)
2012-05-16 07:12:13 UTC
CVE-2011-3102 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3102): Off-by-one error in libxml2, as used in Google Chrome before 19.0.1084.46, allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via unknown vectors. Fixed in libxml2-2.8.0_rc1 (the libxml2 upstream is finally on its way to making a new release) >*libxml2-2.8.0_rc1 (21 May 2012) > > 21 May 2012; Alexandre Rostovtsev <tetromino@gentoo.org> > -libxml2-2.7.8-r4.ebuild, +libxml2-2.8.0_rc1.ebuild, > +files/libxml2-2.8.0_rc1-randomization-threads.patch, > +files/libxml2-2.8.0_rc1-winnt.patch: > Version bump with numerous bugfixes, including for bug #416209 (out-of-bounds > write, CVE-2011-3102, thanks to Paweł Hajdan, Jr.). Drop old. Thanks. Just to make sure since this isn't a full release, are we moving to stabilize libxml2-2.8.0_rc1 now? (In reply to comment #3) > Thanks. Just to make sure since this isn't a full release, are we moving to > stabilize libxml2-2.8.0_rc1 now? It would be my recommendation. The git changelog between 2.7.8 and 2.8.0-rc1 basically consists of fixes for various parser errors, crashes, infinite loops, memory leaks, and security holes; the only new features are support for lzma compression and <meta charset>. Ok, thanks; then on we go. ;) Arches, please test and mark stable: =dev-libs/libxml2-2.8.0_rc1 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" ppc done x86 stable amd64 stable Stable for HPPA. libxml2-2.8.0-rc1.tar.gz is no longer available at ftp://xmlsoft.org/libxml2/ pls update to rc2 (In reply to comment #10) Fixed, thanks for noticing! >*libxml2-2.8.0 (25 May 2012) > > 25 May 2012; Alexandre Rostovtsev <tetromino@gentoo.org> > libxml2-2.8.0_rc1.ebuild, +libxml2-2.8.0.ebuild: > Version bump to 2.8.0 final. Point rc1's SRC_URI at Gentoo mirrors since the > rc1 tarball is no longer available from upstream (bug #416209 comment #10).. arm stable alpha/ia64/m68k/s390/sh/sparc stable ppc64 done Thanks, folks. GLSA request filed. This issue was resolved and addressed in GLSA 201207-02 at http://security.gentoo.org/glsa/glsa-201207-02.xml by GLSA coordinator Sean Amoss (ackle). |