Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 877149 (CVE-2022-40303, CVE-2022-40304)

Summary: <dev-libs/libxml2-2.10.3: Multiple vulnerabilities
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: base-system, sam
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 878569    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-10-14 18:44:37 UTC
From 2.10.3 release notes:

+v2.10.3: Oct 14 2022
+
+### Security
+
+- [CVE-2022-40304] Fix dict corruption caused by entity reference cycles
+- [CVE-2022-40303] Fix integer overflows with XML_PARSE_HUGE
+- Fix overflow check in SAX2.c
Comment 1 Larry the Git Cow gentoo-dev 2022-10-14 19:04:57 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=337cb12f6ac4729d216e81eda3552012ad065b87

commit 337cb12f6ac4729d216e81eda3552012ad065b87
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-10-14 18:50:03 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-10-14 19:04:09 +0000

    dev-libs/libxml2: add 2.10.3
    
    Bug: https://bugs.gentoo.org/877149
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/libxml2/Manifest              |   1 +
 dev-libs/libxml2/libxml2-2.10.3.ebuild | 194 +++++++++++++++++++++++++++++++++
 2 files changed, 195 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-31 14:46:39 UTC
GLSA request filed
Comment 3 Larry the Git Cow gentoo-dev 2022-10-31 20:26:24 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=afe57ff3aad6191b756c24affca2cbef0b388d21

commit afe57ff3aad6191b756c24affca2cbef0b388d21
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-31 20:24:32 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-31 20:25:51 +0000

    [ GLSA 202210-39 ] libxml2: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/877149
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-39.xml | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)
Comment 4 Larry the Git Cow gentoo-dev 2022-11-01 21:35:11 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e07628f6e8bffb7e8f154e6610e0f5d0393a901f

commit e07628f6e8bffb7e8f154e6610e0f5d0393a901f
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-11-01 21:02:08 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-11-01 21:12:15 +0000

    dev-libs/libxml2: drop 2.10.2
    
    Bug: https://bugs.gentoo.org/877149
    Bug: https://bugs.gentoo.org/878269
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 dev-libs/libxml2/Manifest              |   1 -
 dev-libs/libxml2/libxml2-2.10.2.ebuild | 194 ---------------------------------
 2 files changed, 195 deletions(-)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-01 21:36:05 UTC
Cleanup done, all done!