Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 638680 (CVE-2017-16931, CVE-2017-16932)

Summary: <dev-libs/libxml2-2.9.6: Multiple vulnerabilities
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: gnome, herrtimson
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2017-11-24 12:54:51 UTC
CVE-2017-16932 (
  parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in
  parameter entities.

CVE-2017-16931 (
  parser.c in libxml2 before 2.9.5 mishandles parameter-entity references
  because the NEXTL macro calls the xmlParserHandlePEReference function in the
  case of a '%' character in a DTD name.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-24 12:56:06 UTC
@Maintainers libxml2-2.9.6 is already stable on some arches, please confirm if we can stabilize it and clean previous versions.

Thank you
Comment 2 Gilles Dartiguelongue (RETIRED) gentoo-dev 2018-01-16 07:38:39 UTC
2.9.6 is ok to go stable for remaining arches.
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2018-01-17 14:09:46 UTC
GLSA Vote: No

Cleanup will be tracked in bug #644574