Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 239346 - dev-libs/libxml2 <2.7.2 "ampproblem" DoS (CVE-2008-4409)
Summary: dev-libs/libxml2 <2.7.2 "ampproblem" DoS (CVE-2008-4409)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.gnome.org/show_bug.c...
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks: CVE-2008-3281
  Show dependency tree
 
Reported: 2008-10-02 16:51 UTC by Robert Buchholz (RETIRED)
Modified: 2008-12-02 17:46 UTC (History)
7 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
libxml2-2.7.1-r1.ebuild (libxml2-2.7.1-r1.ebuild,3.52 KB, text/plain)
2008-10-03 11:35 UTC, Stefan Behte (RETIRED)
no flags Details
libxml2-2.7.1-parser-dos.patch (libxml2-2.7.1-parser-dos.patch,339 bytes, text/plain)
2008-10-03 11:36 UTC, Stefan Behte (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-10-02 16:51:42 UTC
+++ This bug was initially created as a clone of Bug #234099 +++

Christian Weiske wrote:
> Do I see this right that the issue should be fixed in libxml-2.7.1? I still
> have it, just try download http://tmp.cweiske.de/manual.xml and run "xmllint
> manual.xml"
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-10-03 01:18:16 UTC
Patched:
http://svn.gnome.org/viewvc/libxml2?view=revision&revision=3798

To be released soon.
Comment 2 Christian Weiske 2008-10-03 06:57:42 UTC
Patch works for me.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2008-10-03 11:35:36 UTC
Created attachment 167075 [details]
libxml2-2.7.1-r1.ebuild

Ebuild for patch:
http://svn.gnome.org/viewvc/libxml2/trunk/parser.c?r1=3798&r2=3797&pathrev=3798
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2008-10-03 11:36:14 UTC
Created attachment 167076 [details]
libxml2-2.7.1-parser-dos.patch

Patch from
http://svn.gnome.org/viewvc/libxml2/trunk/parser.c?r1=3798&r2=3797&pathrev=3798
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2008-10-03 11:40:59 UTC
That (very simple!) patch works for me, passes the test from http://bugzilla.gnome.org/show_bug.cgi?id=554660.
"Status Whiteboard" would be changed to "A3 [stable]" now, correct?
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-10-03 12:13:41 UTC
(In reply to comment #5)
> That (very simple!) patch works for me, passes the test from
> http://bugzilla.gnome.org/show_bug.cgi?id=554660.
> "Status Whiteboard" would be changed to "A3 [stable]" now, correct?

Only after it is committed.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-10-03 12:15:36 UTC
2.7.2 is out with a fix, too.
Comment 8 Mart Raudsepp gentoo-dev 2008-10-03 21:06:37 UTC
libxml2-2.7.2.ebuild is in tree.
Arches, please test and stabilize
Comment 9 Friedrich Oslage (RETIRED) gentoo-dev 2008-10-03 22:36:34 UTC
sparc stable
Comment 10 Markus Meier gentoo-dev 2008-10-04 10:08:10 UTC
amd64/x86 stable
Comment 11 Tobias Scherbaum (RETIRED) gentoo-dev 2008-10-04 11:38:15 UTC
ppc stable
Comment 12 Brent Baude (RETIRED) gentoo-dev 2008-10-04 12:22:12 UTC
ppc64 done
Comment 13 Jeroen Roovers gentoo-dev 2008-10-05 17:36:23 UTC
Stable for HPPA.
Comment 14 Tobias Heinlein (RETIRED) gentoo-dev 2008-10-13 18:54:16 UTC
GLSA together with bug 234099 and bug 237806.
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2008-12-02 17:46:43 UTC
GLSA 200812-06