Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 847952 (CVE-2021-42859, CVE-2021-42860)

Summary: <dev-libs/mxml-3.3: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: conikost
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/michaelrsweet/mxml/issues/286
Whiteboard: B3 [glsa?]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-05-28 17:16:13 UTC
CVE-2021-42859:

A memory leak issue was discovered in Mini-XML v3.2 that could cause a denial of service.

CVE-2021-42860:

A stack buffer overflow exists in Mini-XML v3.2. When inputting an unformed XML string to the mxmlLoadString API, it will cause a stack-buffer-overflow in mxml_string_getc:2611.

"Fixed in master", but unsure about where the actual fix is.
Comment 1 Conrad Kostecki gentoo-dev 2022-05-29 11:19:31 UTC
Based on the Github issue, it should be fixed in 3.3. I was also not able to reproduce with current version 3.3 in tree.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-05-29 15:26:52 UTC
Thanks!
Comment 3 Conrad Kostecki gentoo-dev 2024-04-18 19:25:47 UTC
I guess, we can close here and release _no_ GLSA.

Seeing https://github.com/michaelrsweet/mxml/issues/286, the CVE was rejected by upstream.

https://www.cve.org/CVERecord?id=CVE-2021-42859 also lists as disputed.