Summary: | <dev-libs/libxml2-2.9.4-r3: Missing validation for external entities in xmlParsePEReference (CVE-2017-7375) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Volkan <vBugZilla> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | gnome |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1462203 | ||
Whiteboard: | B3 [glsa cve] | ||
Package list: |
dev-libs/libxml2-2.9.4-r3
|
Runtime testing required: | --- |
Bug Depends on: | |||
Bug Blocks: | 599192, 605208, 618604, 622914 |
Description
Volkan
2017-06-30 21:46:32 UTC
Patch for this issue have been pushed in libxml-2.9.4-r2. Please note that: * patches where cherry-picked from upstream master according to information found in this ticket, some patches were harder to find due to upstream blocking access to it. * unittests in the ebuild are actually not being run for a long time certainly due to a problem when porting to multilib. Maybe it existed before, didn't check yet. Anyway, as lots of other security related fixes are pending an upstream release, I pushed this as a stop gap until I get more time to do a proper snapshot and fix these unittests issues. After pushing r2, I found out Debian had just pushed its DSA as well so I updated our patch stack with patches referenced in their package. Hello arches, please test and stabilize dev-libs/libxml-2.9.4-r3 that ships with several security related patches. While working on this, I figured test-suite was inadvertently disabled when the ebuild has been converted to multilib so I took the opportunity to reactivate it and disabled the one failing test I found (there was a couple more failing in r2). This revision should cover the following security bugs: https://bugs.gentoo.org/show_bug.cgi?id=599192 https://bugs.gentoo.org/show_bug.cgi?id=618604 https://bugs.gentoo.org/show_bug.cgi?id=623206 https://bugs.gentoo.org/show_bug.cgi?id=622914 https://bugs.gentoo.org/show_bug.cgi?id=605208 And non security bug: https://bugs.gentoo.org/show_bug.cgi?id=586886 An automated check of this bug failed - the following atom is unknown: dev-libs/libxml-2.9.4-r3 Please verify the atom list. amd64 stable alpha stable ia64 stable x86 stable arm stable sparc stable (thanks to Dakon) hppa stable (thanks to Dakon) ppc64 stable ppc stable Thank you arches, @security, please add to CVE and vote on glsa. @maintainer(s) please clean up...apologies for rushing. This and all related bugs added to GLSA request. This issue was resolved and addressed in GLSA 201711-01 at https://security.gentoo.org/glsa/201711-01 by GLSA coordinator Christopher Diaz Riveros (chrisadr). @Maintainers Re-opening for cleanup. @arm64 please try to finish stabilization. Thank you Cleanup will be tracked in bug #644574. |