Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 546720 (CVE-2015-1819)

Summary: <dev-libs/libxml2-2.9.2-r1: denial of service processing a crafted XML document (CVE-2015-1819)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: gnome
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1211278
Whiteboard: A3 [glsa cve]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2015-04-16 07:14:44 UTC 
From ${URL} :

Florian Weimer from Red Hat reported an issue against libxml2, where a parser which uses libxml2 
chokes on a crafted XML document, allocating gigabytes of data.
This is a fine line between API misuse and an libxml2 bug.
Daniel Veillard have a fix for this issue already.

Patch:
https://git.gnome.org/browse/libxml2/commit/?id=213f1fe0d76d30eaed6e5853057defc43e6df2c9


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Alexandre Rostovtsev (RETIRED) gentoo-dev 2015-04-19 16:09:28 UTC 
Thanks, fixed:

+*libxml2-2.9.2-r1 (19 Apr 2015)
+
+  19 Apr 2015; Alexandre Rostovtsev <tetromino@gentoo.org>
+  +libxml2-2.9.2-r1.ebuild, +files/libxml2-2.9.2-constant-memory.patch,
+  +files/libxml2-2.9.2-missing-entities.patch,
+  +files/libxml2-2.9.2-threads-declarations.patch,
+  +files/libxml2-2.9.2-timsort.patch:
+  Add important patches from upstream, including a fix for a DoS vulnerability
+  (CVE-2015-1819, bug #546720, thanks to Agostino Sarubbo).

=dev-libs/libxml2-2.9.2-r1 needs to be stabilized.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2015-04-19 16:18:48 UTC 
Arches, please test and mark stable:

=dev-libs/libxml2-2.9.2-r1

Target Keywords : "alpha amd64 arm hppa ia64 ppc ppc64 spark x86"

Thank you!
Comment 3 Agostino Sarubbo gentoo-dev 2015-04-20 09:04:05 UTC 
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2015-04-20 09:04:19 UTC 
x86 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2015-04-21 04:37:45 UTC 
Stable for HPPA.
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2015-04-21 17:42:35 UTC 
Stable for PPC64.
Comment 7 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-04-24 21:48:56 UTC 
sparc stable
Comment 8 Pacho Ramos gentoo-dev 2015-04-26 16:59:41 UTC 
ppc stable
Comment 9 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-04-26 19:27:36 UTC 
ia64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-04-28 07:30:54 UTC 
alpha stable
Comment 11 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-05-27 12:26:19 UTC 
arm stable
Comment 12 Alexandre Rostovtsev (RETIRED) gentoo-dev 2015-05-27 13:40:02 UTC 
Vulnerable versions have been removed.

+  27 May 2015; Alexandre Rostovtsev <tetromino@gentoo.org>
+  -libxml2-2.9.2.ebuild:
+  Clean up vulnerable versions.
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2015-05-28 21:01:05 UTC 
Arches and Maintainer(s), Thank you for your work.

GLSA Vote: No
Comment 14 Tobias Heinlein (RETIRED) gentoo-dev 2015-06-30 22:35:27 UTC 
I would vote YES, but A3 should go straight to glsamaker anyway. Request filed.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2015-07-07 07:23:20 UTC 
This issue was resolved and addressed in
 GLSA 201507-08 at https://security.gentoo.org/glsa/201507-08
by GLSA coordinator Mikle Kolyada (Zlogene).