Heap-based buffer overflow in the xmlParseAttValueComplex function in
parser.c in libxml2 before 2.7.0 allows context-dependent attackers
to cause a denial of service (crash) or possibly execute arbitrary
code via a long XML entity name.
We need to patch this, and a fix for #234099 would be appreciated too. A reproducer is available on request.
Thing is, no-one has fixed librsvg. Or at least, I didn't find any patches for it during my quick search yesterday.
So I really don't know what exactly we can do, except to start hacking on librsvg...
librsvg is not the only thing that breaks. Anything can break on an ABI break of a struct that wasn't made private properly, we just only know about librsvg, strigi and a few more (some of which might be due to using librsvg).
I was not successful with convincing upstream that ABI breaks are bad, and should be treated like in glib and gtk+ - not done. So I need to patch this in am ABI compatible way and include this one here. I hope I can work on that later today after I'm done with some work work.
libxml2-2.7.0 restored ABI before release and it's fine afterall, as noted in bug 234099. libxml2-2.7.1 is in the tree now, and also addresses the security bug covered here, although note that with a different patch than in the referenced URL.
I won't add arches myself, because bug 234099 already does so. security@, please add them yourself if you deem that necessary.
GLSA request filed.