Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 833809 (CVE-2022-23308)

Summary: <dev-libs/libxml2-2.9.13: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: base-system, sam
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://gitlab.gnome.org/GNOME/libxml2/-/blob/v2.9.13/NEWS
Whiteboard: A3 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 834458    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-20 20:43:53 UTC 
From URL:

"Security:
  [CVE-2022-23308] Use-after-free of ID and IDREF attributes
  (Thanks to Shinji Sato for the report)
  Use-after-free in xmlXIncludeCopyRange (David Kilzer)
  Fix Null-deref-in-xmlSchemaGetComponentTargetNs (huangduirong)
  Fix memory leak in xmlXPathCompNodeTest
  Fix null pointer deref in xmlStringGetNodeList
  Fix several memory leaks found by Coverity (David King)"
Comment 1 Larry the Git Cow gentoo-dev 2022-02-21 01:13:35 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2c38911533cea511c6c5a318e517da7d6df96ecb

commit 2c38911533cea511c6c5a318e517da7d6df96ecb
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-02-21 01:10:59 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-02-21 01:10:59 +0000

    dev-libs/libxml2: add 2.9.13
    
    Bug: https://bugs.gentoo.org/833809
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/libxml2/Manifest              |   1 +
 dev-libs/libxml2/libxml2-2.9.13.ebuild | 240 +++++++++++++++++++++++++++++++++
 2 files changed, 241 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2022-02-21 02:00:47 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ac5e34e355b38781725f213dc32976bc0467b16b

commit ac5e34e355b38781725f213dc32976bc0467b16b
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-02-21 01:59:57 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-02-21 02:00:27 +0000

    dev-libs/libxml2: restore LDFLAGS patch; drop unnecessary test patch
    
    Bug: https://bugs.gentoo.org/833809
    Signed-off-by: Sam James <sam@gentoo.org>

 .../libxml2/{libxml2-2.9.13.ebuild => libxml2-2.9.13-r1.ebuild}     | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-14 03:32:12 UTC 
GLSA request filed
Comment 4 Larry the Git Cow gentoo-dev 2022-10-16 14:46:11 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=adf5474fd11ba8a07548c5e37fac5e66db57a112

commit adf5474fd11ba8a07548c5e37fac5e66db57a112
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-16 14:40:08 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-16 14:45:20 +0000

    [ GLSA 202210-03 ] libxml2: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/833809
    Bug: https://bugs.gentoo.org/842261
    Bug: https://bugs.gentoo.org/865727
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-03.xml | 45 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-16 14:55:08 UTC 
GLSA released, all done!