Summary: | <dev-libs/libxml2-2.8.0-r3: buffer underflow (CVE-2012-5134) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Mike Gilbert <floppym> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | gnome |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://googlechromereleases.blogspot.com/2012/11/stable-channel-update.html | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=444826 | ||
Whiteboard: | A2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Mike Gilbert
2012-11-26 19:02:17 UTC
Chrome patch: https://chromiumcodereview.appspot.com/11343029 Upstream commit: http://git.gnome.org/browse/libxml2/commit/?id=6a36fbe3b3e001a8a840b5c1fdd81cefc9947f0d Fixed in 2.8.0-r3; thanks for noticing the vulnerability report! >*libxml2-2.8.0-r3 (26 Nov 2012) > > 26 Nov 2012; Alexandre Rostovtsev <tetromino@gentoo.org> > +libxml2-2.8.0-r3.ebuild, > +files/libxml2-2.8.0-xmlParseAttValueComplex-underflow.patch: > Fix buffer underflow (bug #444836, CVE-2012-5134, thanks to Mike Gilbert). Arches, please test and mark stable: =dev-libs/libxml2-2.8.0-r3 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" Archtested on x86: Everything OK. - Compiles successfully with all USE-flag combinations, test phase passes. - Various rdeps successfully compile against =dev-libs/libxml2-2.8.0-r3. - Repoman reports no warnings that need addressing. - Verified library functionality through runtime testing of various packages that depend on libxml2, no discrepancies found. amd64 stable x86 stable Stable for HPPA. CVE-2012-5134 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5134): Heap-based buffer underflow in the xmlParseAttValueComplex function in parser.c in libxml2 2.9.0 and earlier, as used in Google Chrome before 23.0.1271.91, allows remote attackers to cause a denial of service or possibly execute arbitrary code via crafted entities in an XML document. ppc stable arm stable ppc64 stable alpha/ia64/m68k/s390/sh/sparc stable Thanks, everyone. Updated existing GLSA draft. This issue was resolved and addressed in GLSA 201311-06 at http://security.gentoo.org/glsa/glsa-201311-06.xml by GLSA coordinator Sean Amoss (ackle). |