Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 281446 - <dev-libs/libxml-1.8.17-r4: Multiple vulnerabilities (CVE-2004-{0110,0989}, CVE-2009-{2414,2416})
Summary: <dev-libs/libxml-1.8.17-r4: Multiple vulnerabilities (CVE-2004-{0110,0989}, C...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [noglsa]
Depends on: 281444
  Show dependency tree
Reported: 2009-08-14 09:27 UTC by Robert Buchholz (RETIRED)
Modified: 2013-08-28 07:39 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-08-14 09:27:56 UTC
+++ This bug was initially created as a clone of Bug #280617 +++

Jukka Taimisto and Rauli Kaksonen from the CROSS project at Codenomicon reported the following vulnerabilities:
* Multiple pointer use-after-free flaws CVE-2009-2416
* Stack oveeflow when parsing recursive XML structures CVE-2009-2414

Furthermore, we missed patches for CVE-2004-0110 and CVE-2004-0989 that were needed for libxml-1 as well. Thanks to Victor Ostorga for noting that.

Since we never audited libxml for issues in libxml2, I wonder what the status of these CVEs is:
* CVE-2008-4409
* CVE-2008-4226
* CVE-2008-4225
* CVE-2008-3529
* CVE-2008-3281 and the original CVE-2003-1564
* CVE-2007-6284
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2010-01-18 17:08:33 UTC
to be masked for removal
Comment 2 Samuli Suominen (RETIRED) gentoo-dev 2010-03-18 13:16:18 UTC
It's masked now
Comment 3 Samuli Suominen (RETIRED) gentoo-dev 2010-04-20 16:14:43 UTC
(In reply to comment #2)
> It's masked now

and also removed. feel free to handle this bug as you see fit.
Comment 4 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-01-10 12:21:45 UTC
The package is no longer in the tree. Should we make a decision about GLSA for those users who might still have it installed?
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2011-01-11 00:35:22 UTC
No vote required as this was rated B2. Request filed.
Comment 6 Sergey Popov gentoo-dev 2013-08-28 07:39:18 UTC
Two years old, package is gone from tree. Closing as OBSOLETE