Summary: | <dev-libs/libxml2-2.9.4-r1: Use after free via namespace node in XPointer ranges (CVE-2016-4658) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | gnome, teika |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1384424 | ||
Whiteboard: | A2 [glsa cve blocked] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 597116 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2016-10-14 14:03:27 UTC
CVE-2016-4658 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4658): libxml2 in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document. Patch not present in 2.9.4. Will require addition in tree or await upstream inclusion. You may already know it, but Debian released a fix for CVE-2016-4658 (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840553) and CVE-2016-5131 (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840554). See also https://www.debian.org/security/2016/dsa-3744 This release is Debian's own one, though the patches are in the upstream repo. Upstream has not fixed CVE-2016-9318 which affects libxml2-2.9.4 and earliear. BTW the last CVE item does not seem to be reported to Gentoo. (I made an almost identical comment at https://bugs.gentoo.org/show_bug.cgi?id=589816#c8) Thanks Gentoo devs. Best regards. This issue was resolved and addressed in GLSA 201701-37 at https://security.gentoo.org/glsa/201701-37 by GLSA coordinator Thomas Deutschmann (whissi). |