It was found that the hashing routine used by libxml2 arrays was
susceptible to predictable hash collisions. Sending a specially-crafted
message to an XML service could result in longer processing time, which
could lead to a denial of service.
Fixed in 2.7.8-r5, thanks for reporting.
>*libxml2-2.7.8-r5 (23 Feb 2012)
> 23 Feb 2012; Alexandre Rostovtsev <email@example.com>
> -libxml2-2.7.8-r1.ebuild, -libxml2-2.7.8-r2.ebuild, -libxml2-2.7.8-r3.ebuild,
> +libxml2-2.7.8-r5.ebuild, +files/libxml2-2.7.8-hash-randomization.patch:
> Add hashing randomization to prevent DoS vulnerability (CVE-2012-0841, bug
> #405261, thanks to Michael Harrison for reporting). Drop old.
(In reply to comment #1)
> Fixed in 2.7.8-r5, thanks for reporting.
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Stable for HPPA.
Archtested on x86: Everything OK.
Compiles without issue, RDEPS successfully linked to libxml2 and tested xml functionality of a few applications.
x86 stable, thanks Dan
Stable on alpha.
Thanks, folks. GLSA Vote: yes.
Vote: yes. GLSA request filed.
This issue was resolved and addressed in
GLSA 201203-04 at http://security.gentoo.org/glsa/glsa-201203-04.xml
by GLSA coordinator Sean Amoss (ackle).