Bug 573820 (CVE-2015-8806)

Summary:	<dev-libs/libxml2-2.9.4: heap-buffer overread in dict.c
Product:	Gentoo Security	Reporter:	Agostino Sarubbo <ago>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	gnome
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://bugzilla.redhat.com/show_bug.cgi?id=1304636
Whiteboard:	A3 [glsa cve]
Package list:		Runtime testing required:	---

Description Agostino Sarubbo gentoo-dev

2016-02-04 09:17:28 UTC

From ${URL} :

A heap-buffer overread vulnerability was found in libxml2. A specially crafted file can cause the 
application to crash.

External bugzilla report with reproducer:

https://bugzilla.gnome.org/show_bug.cgi?id=749115

CVE assignment:

http://seclists.org/oss-sec/2016/q1/277


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2016-11-19 00:08:00 UTC

Fix landed in v2.9.4: https://bugzilla.gnome.org/show_bug.cgi?id=758605#c5

v2.9.4 landed in Gentoo repository via https://gitweb.gentoo.org/repo/gentoo.git/commit/dev-libs/libxml2?id=b68f9389191396b4febff3e7b61f939189364426

Also, upstream changed tracking to CVE-2016-1839, see https://bugzilla.gnome.org/show_bug.cgi?id=749115#c9

Comment 2 Aaron Bauman (RETIRED) gentoo-dev

2016-11-19 04:05:01 UTC

Moving CVE alias to the proper bug 583888.

Comment 3 GLSAMaker/CVETool Bot gentoo-dev

2017-01-16 21:23:47 UTC

This issue was resolved and addressed in
 GLSA 201701-37 at https://security.gentoo.org/glsa/201701-37
by GLSA coordinator Thomas Deutschmann (whissi).

Comment 4 GLSAMaker/CVETool Bot gentoo-dev

2017-01-16 21:25:45 UTC

This issue was resolved and addressed in
 GLSA 201701-37 at https://security.gentoo.org/glsa/201701-37
by GLSA coordinator Thomas Deutschmann (whissi).