Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 476438 (CVE-2013-2877)

Summary: <dev-libs/libxml2-2.9.1-r1: Unspecified Denial of Service Vulnerability (CVE-2013-2877)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: gnome, m68k
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also:
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 458740, 466238    

Description Agostino Sarubbo gentoo-dev 2013-07-10 18:59:18 UTC
From ${URL} :


A vulnerability has been reported in Libxml2, which can be exploited by malicious people to cause a 
DoS (Denial of Service) in an application using the library.

The vulnerability is caused due to unspecified error when parsing XML files and can be exploited to 
cause a crash via specially crafted XML file.

Fixed in the GIT repository.

Further details available to Secunia VIM customers

Provided and/or discovered by:
Aki Helin, OUSPG

Original Advisory:
Debian bug-tracker:

@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Alexandre Rostovtsev (RETIRED) gentoo-dev 2013-07-10 19:29:10 UTC
This was fixed upstream in libxml2-2.9.1; we need to bump.
Comment 2 Alexandre Rostovtsev (RETIRED) gentoo-dev 2013-07-11 03:25:32 UTC
Fixed in 2.9.1, which now needs to be tested and stabilized everywhere.

@m68k arch maintainers, if you do not have the time to keep up with security stabilizations, please remove your stable keywords and declare that your arch is unstable like mips :/

+*libxml2-2.9.1 (11 Jul 2013)
+  11 Jul 2013; Alexandre Rostovtsev <>
+  libxml2-2.8.0-r3.ebuild, -libxml2-2.8.0-r4.ebuild, -libxml2-2.9.0-r1.ebuild,
+  +libxml2-2.9.1.ebuild, +files/libxml2-2.9.1-compression-detection.patch,
+  +files/libxml2-2.9.1-missing-break.patch,
+  +files/libxml2-2.9.1-non-ascii-cr-lf.patch,
+  +files/libxml2-2.9.1-python-2.6.patch, +files/libxml2-2.9.1-python3.patch:
+  Version bump. Fixes denial-of-service vulnerability (bug #476438,
+  CVE-2013-2877, thanks to Agostino Sarubbo). Drop old versions, except for
+  2.8.0-r3 which for some reason was the only revision keyworded stable on
+  m68k.
Comment 3 Agostino Sarubbo gentoo-dev 2013-07-11 04:48:28 UTC
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2013-07-11 11:55:25 UTC
Stable for HPPA.
Comment 5 Alexandre Rostovtsev (RETIRED) gentoo-dev 2013-07-12 05:17:15 UTC
For arches that haven't stabilized 2.9.1 yet, I suggest changing the stabilization target to =libxml2-2.9.1-r1 since it includes a fix for bug #476586
Comment 6 Agostino Sarubbo gentoo-dev 2013-07-12 20:40:50 UTC
amd64 stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2013-07-13 01:37:10 UTC
Stable for HPPA.
Comment 8 Agostino Sarubbo gentoo-dev 2013-07-13 07:48:17 UTC
x86 stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-07-13 17:59:59 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-07-13 19:10:22 UTC
ppc64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-07-14 14:18:17 UTC
alpha stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-07-14 17:37:26 UTC
arm stable
Comment 13 Agostino Sarubbo gentoo-dev 2013-07-21 15:52:46 UTC
ia64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2013-07-21 17:40:50 UTC
sh stable
Comment 15 Agostino Sarubbo gentoo-dev 2013-07-21 17:55:25 UTC
sparc stable
Comment 16 Agostino Sarubbo gentoo-dev 2013-08-06 12:32:47 UTC
s390 stable
Comment 17 Chris Reffett (RETIRED) gentoo-dev Security 2013-08-23 14:57:35 UTC
GLSA request filed.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2013-08-27 03:26:12 UTC
CVE-2013-2877 (
  parser.c in libxml2 before 2.9.0, as used in Google Chrome before
  28.0.1500.71 and other products, allows remote attackers to cause a denial
  of service (out-of-bounds read) via a document that ends abruptly, related
  to the lack of certain checks for the XML_PARSER_EOF state.
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2013-11-10 15:19:09 UTC
This issue was resolved and addressed in
 GLSA 201311-06 at
by GLSA coordinator Sean Amoss (ackle).