Bug 638680 (CVE-2017-16931, CVE-2017-16932)

Summary:	<dev-libs/libxml2-2.9.6: Multiple vulnerabilities
Product:	Gentoo Security	Reporter:	GLSAMaker/CVETool Bot <glsamaker>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	gnome, herrtimson
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://xmlsoft.org/news.html
Whiteboard:	B3 [noglsa cve]
Package list:		Runtime testing required:	---

Description GLSAMaker/CVETool Bot gentoo-dev

2017-11-24 12:54:51 UTC

CVE-2017-16932 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-16932):
  parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in
  parameter entities.

CVE-2017-16931 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-16931):
  parser.c in libxml2 before 2.9.5 mishandles parameter-entity references
  because the NEXTL macro calls the xmlParserHandlePEReference function in the
  case of a '%' character in a DTD name.

Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-11-24 12:56:06 UTC

@Maintainers libxml2-2.9.6 is already stable on some arches, please confirm if we can stabilize it and clean previous versions.

Thank you

Comment 2 Gilles Dartiguelongue (RETIRED) gentoo-dev

2018-01-16 07:38:39 UTC

2.9.6 is ok to go stable for remaining arches.

Comment 3 Aaron Bauman (RETIRED) gentoo-dev

2018-01-17 14:09:46 UTC

GLSA Vote: No

Cleanup will be tracked in bug #644574