Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 308009 (CVE-2009-1885) - <dev-libs/xerces-c-3.1.0 DOS (CVE-2009-1885)
Summary: <dev-libs/xerces-c-3.1.0 DOS (CVE-2009-1885)
Status: RESOLVED FIXED
Alias: CVE-2009-1885
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-03-06 14:16 UTC by Stefan Behte (RETIRED)
Modified: 2011-10-08 21:56 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 14:16:17 UTC 
CVE-2009-1885 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1885):
  Stack consumption vulnerability in validators/DTD/DTDScanner.cpp in
  Apache Xerces C++ 2.7.0 and 2.8.0 allows context-dependent attackers
  to cause a denial of service (application crash) via vectors
  involving nested parentheses and invalid byte values in "simply
  nested DTD structures," as demonstrated by the Codenomicon XML
  fuzzing framework.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 14:17:17 UTC 
cpp: is dev-libs/xerces-c ready to go stable?
Comment 2 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-01-10 12:00:16 UTC 
Maintainer timeout (huuuuuge one), adding arches. Please stabilize:

=dev-libs/xerces-c-3.1.0
Comment 3 Agostino Sarubbo gentoo-dev 2011-01-10 13:04:36 UTC 
amd64 ok
Comment 4 Alex Buell 2011-01-10 23:26:27 UTC 
Tested on SPARC, built and installed OK. Could be stabilised.
Comment 5 Alex Buell 2011-01-10 23:27:35 UTC 
Tested on SPARC, built and installed OK. Could be stabilised.
Comment 6 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-01-11 17:26:00 UTC 
ppc/ppc64 stable
Comment 7 Markus Meier gentoo-dev 2011-01-11 21:57:52 UTC 
x86 stable
Comment 8 Markos Chandras (RETIRED) gentoo-dev 2011-01-12 14:00:13 UTC 
amd64 done. Thanks Agostino
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2011-01-12 15:32:03 UTC 
Stable for HPPA.
Comment 10 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-02-19 10:36:36 UTC 
sparc, alpha: you claim to be security-supported architectures, please do this security stabilization on time.
Comment 11 Michael Weber (RETIRED) gentoo-dev 2011-02-25 22:38:11 UTC 
+  25 Feb 2011; Michael Weber <xmw@gentoo.org> xerces-c-3.1.0.ebuild:
+  Stable sparc wrt bug 308009, thanks Alex Buell.
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2011-02-26 13:14:01 UTC 
alpha stable
Comment 13 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-02-26 14:36:47 UTC 
Thank you. B3-rated vulnerabilities get a GLSA vote.
Comment 14 Tim Sammut (RETIRED) gentoo-dev 2011-02-26 14:39:27 UTC 
GLSA Vote: no.
Comment 15 Pierre-Yves Rofes (RETIRED) gentoo-dev 2011-10-08 21:56:27 UTC 
voting no too, and closing.