| Summary: | <dev-libs/libxml2-2.9.8-r1: Out-of-bounds read in htmlParseTryOrFinish | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | gnome |
| Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://gitlab.gnome.org/GNOME/libxml2/issues/26 | ||
| See Also: |
https://bugzilla.gnome.org/show_bug.cgi?id=775200 https://bugzilla.redhat.com/show_bug.cgi?id=1449541 |
||
| Whiteboard: | A3 [noglsa cve] | ||
| Package list: |
dev-libs/libxml2-2.9.9
|
Runtime testing required: | --- |
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2ad6bf6d6f3dbe00df33a5399c6762fb0ae1867f commit 2ad6bf6d6f3dbe00df33a5399c6762fb0ae1867f Author: Mike Frysinger <vapier@chromium.org> AuthorDate: 2019-01-03 11:08:40 +0000 Commit: Mike Frysinger <vapier@gentoo.org> CommitDate: 2019-01-03 11:21:38 +0000 dev-libs/libxml2: fix CVE-2017-8872 #618110 Bug: https://bugs.gentoo.org/618110 Signed-off-by: Mike Frysinger <vapier@gentoo.org> .../files/libxml2-2.9.8-CVE-2017-8872.patch | 65 ++++++ dev-libs/libxml2/libxml2-2.9.8-r1.ebuild | 217 +++++++++++++++++++++ 2 files changed, 282 insertions(+) x86 stable amd64 stable arm64 stable ia64 stable hppa stable ppc64 stable ppc stable sparc stable arm stable alpha stable s390 stable there were also CVE-2018-14404 and CVE-2018-14567 fixes in 2.9.8-r1 and 2.9.9. |
From ${URL} : The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows attackers to cause a denial of service (buffer over-read) or information disclosure. Upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=775200 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.