There exists a denial of service problem in libxml's UTF-8
decoding functions. The xmlCurrentChar() function does not check
UTF-8 correctness and certain multibyte combinations can cause
the library to enter an infinite loop and hang, consuming
system resources. It is strongly recommended to upgrade if
your application accepts arbitrary xml user input.
The issue was originally discovered at Google by Brad Fitzpatrick
and further investigated by Peter Valchev and Will Drewry.
Patch and debugging by Daniel Veillard (libxml).
Created attachment 138787 [details, diff]
Leonardo and Daniel, please prepare an updated ebuild with the patch and attach it to this bug if you want prestable testing. Please do not commit anything to CVS yet!
I am not sure whether we have daemons in the tree that accept XML input via libxml2. That would make this bug rather serious - for GNOME it seems to me, this merely will crash a user's application.
Created attachment 138790 [details]
Trivial bump. It works with my testing. I did re-name the patch to libxml2-2.6.30-CVE-2007-6284.patch, to make it fit better to gentoo's naming scheme, but that's it.
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug.
Target keywords : "alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86"
CC'ing current Liaisons:
alpha : ferdy
amd64 : welp
hppa : jer
ppc : dertobi123
ppc64 : corsair
sparc : fmccor
x86 : opfer
all fine on x86, test suite succeeds and I built some rdeps without problems (plus they still work)e
Sparc is good; all tests run as they should.
HPPA is OK too.
looks good on ppc64
Adding Raúl for alpha, sorry for the delay.
Works fine on alpha/ia64
Looks good to me, too
Adding Brent for PPC.
Looks good for ppc too
All security supported arches ok'ed this.
Daniel, please commit to stable as soon as the disclosure date is up (currently Jan. 11)
This will be public in one hour, please commit after then. Thanks!
Okay, committed to stable. For the record: how do I get repoman to let me commit directly to stable?
--force, if I recall correctly.
Thanks, request filed.
Couldn't this affect apache2? I remember something that libxml2 was needed to build it?! AFAIK some proxy modules need libxml2.so. As I'm at work right now, I don't have time for an excessive search.
(In reply to comment #20)
> Couldn't this affect apache2?
Every package that _links_ to libxml is save, as they now use the new version. Please take a look at the technique of "dynamic linking" (i.e. libraries).
Removing liaisons, nothing to do here