| Summary: | <dev-libs/libxml2-2.9.4-r1: use-after-free (CVE-2016-5131) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | major | CC: | gnome, teika |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://googlechromereleases.blogspot.it/2016/07/stable-channel-update.html | ||
| Whiteboard: | A2 [glsa cve blocked] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 597116 | ||
| Bug Blocks: | |||
This is CVE-2016-5131 (already taken by bug 589278). @ Maintainer(s): Please consider applying this fix via rev-bump. *** This bug has been marked as a duplicate of bug 589278 *** This is not a duplicate. Libxml has a vulnerability. Chrome/chromium uses an its own bundled version, so if this issue is resolved in the bundled libxml version in chromium we need to fix it in the tree. (In reply to Agostino Sarubbo from comment #4) > This is not a duplicate. > > Libxml has a vulnerability. Chrome/chromium uses an its own bundled version, > so if this issue is resolved in the bundled libxml version in chromium we > need to fix it in the tree. Yes, it is a duplicate because you filed it against dev-libs/libxml2, which already has a bug filed. www-client/chromium does not bundle libxml2. If you want to open a proper bug then file it against www-client/google-chrome which does bundle libxml2. Security will work with the maintainer to identify a proper course of action concerning www-client/google-chrome. *** This bug has been marked as a duplicate of bug 589278 *** (In reply to Aaron Bauman from comment #5) > (In reply to Agostino Sarubbo from comment #4) > > This is not a duplicate. > > > > Libxml has a vulnerability. Chrome/chromium uses an its own bundled version, > > so if this issue is resolved in the bundled libxml version in chromium we > > need to fix it in the tree. > > Yes, it is a duplicate because you filed it against dev-libs/libxml2, which > already has a bug filed. www-client/chromium does not bundle libxml2. If > you want to open a proper bug then file it against www-client/google-chrome > which does bundle libxml2. Security will work with the maintainer to > identify a proper course of action concerning www-client/google-chrome. > > *** This bug has been marked as a duplicate of bug 589278 *** Sorry, there is no bug open for libxml2 already. I see what you mean. My mistake. (In reply to Aaron Bauman from comment #6) > Sorry, there is no bug open for libxml2 already. I see what you mean. My > mistake. No problem :) You may already know it, but Debian released a fix for CVE-2016-4658 (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840553) and CVE-2016-5131 (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840554). See also https://www.debian.org/security/2016/dsa-3744 This release is Debian's own one. Upstream has not fixed CVE-2016-9318 which affects libxml2-2.9.4 and earliear. BTW the last CVE item does not seem to be reported to Gentoo. Thanks Gentoo devs.Best regards. This issue was resolved and addressed in GLSA 201701-37 at https://security.gentoo.org/glsa/201701-37 by GLSA coordinator Thomas Deutschmann (whissi). |
From ${URL} : [$3500][623378] High CVE-2016-5131: Use-after-free in libxml. Credit to Nick Wellnhofer @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.