Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 589816

Summary: <dev-libs/libxml2-2.9.4-r1: use-after-free (CVE-2016-5131)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: gnome, teika
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://googlechromereleases.blogspot.it/2016/07/stable-channel-update.html
Whiteboard: A2 [glsa cve blocked]
Package list:
Runtime testing required: ---
Bug Depends on: 597116    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2016-07-27 08:09:05 UTC
From ${URL} :

[$3500][623378] High CVE-2016-5131: Use-after-free in libxml. Credit to Nick Wellnhofer


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 2 Thomas Deutschmann gentoo-dev Security 2016-11-19 00:50:50 UTC
This is CVE-2016-5131 (already taken by bug 589278).

@ Maintainer(s): Please consider applying this fix via rev-bump.
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-11-19 01:14:39 UTC

*** This bug has been marked as a duplicate of bug 589278 ***
Comment 4 Agostino Sarubbo gentoo-dev 2016-11-19 09:18:45 UTC
This is not a duplicate.

Libxml has a vulnerability. Chrome/chromium uses an its own bundled version, so if this issue is resolved in the bundled libxml version in chromium we need to fix it in the tree.
Comment 5 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-11-19 09:34:49 UTC
(In reply to Agostino Sarubbo from comment #4)
> This is not a duplicate.
> 
> Libxml has a vulnerability. Chrome/chromium uses an its own bundled version,
> so if this issue is resolved in the bundled libxml version in chromium we
> need to fix it in the tree.

Yes, it is a duplicate because you filed it against dev-libs/libxml2, which already has a bug filed.  www-client/chromium does not bundle libxml2.  If you want to open a proper bug then file it against www-client/google-chrome which does bundle libxml2.  Security will work with the maintainer to identify a proper course of action concerning www-client/google-chrome.

*** This bug has been marked as a duplicate of bug 589278 ***
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-11-19 09:44:54 UTC
(In reply to Aaron Bauman from comment #5)
> (In reply to Agostino Sarubbo from comment #4)
> > This is not a duplicate.
> > 
> > Libxml has a vulnerability. Chrome/chromium uses an its own bundled version,
> > so if this issue is resolved in the bundled libxml version in chromium we
> > need to fix it in the tree.
> 
> Yes, it is a duplicate because you filed it against dev-libs/libxml2, which
> already has a bug filed.  www-client/chromium does not bundle libxml2.  If
> you want to open a proper bug then file it against www-client/google-chrome
> which does bundle libxml2.  Security will work with the maintainer to
> identify a proper course of action concerning www-client/google-chrome.
> 
> *** This bug has been marked as a duplicate of bug 589278 ***

Sorry, there is no bug open for libxml2 already.  I see what you mean.  My mistake.
Comment 7 Agostino Sarubbo gentoo-dev 2016-11-19 10:09:01 UTC
(In reply to Aaron Bauman from comment #6)
> Sorry, there is no bug open for libxml2 already.  I see what you mean.  My
> mistake.

No problem :)
Comment 8 Teika kazura 2016-12-24 07:13:40 UTC
You may already know it, but Debian released a fix for CVE-2016-4658 (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840553) and CVE-2016-5131 (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840554). See also https://www.debian.org/security/2016/dsa-3744

This release is Debian's own one. Upstream has not fixed CVE-2016-9318 which affects libxml2-2.9.4 and earliear.

BTW the last CVE item does not seem to be reported to Gentoo.

Thanks Gentoo devs.Best regards.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2017-01-16 21:26:23 UTC
This issue was resolved and addressed in
 GLSA 201701-37 at https://security.gentoo.org/glsa/201701-37
by GLSA coordinator Thomas Deutschmann (whissi).