Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 458430 - <dev-libs/libxml2-2.9.0-r2 : DoS (CVE-2013-1664)
Summary: <dev-libs/libxml2-2.9.0-r2 : DoS (CVE-2013-1664)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa]
Keywords:
Depends on: 448798
Blocks: 458984
  Show dependency tree
 
Reported: 2013-02-20 10:09 UTC by Dirkjan Ochtman
Modified: 2013-11-10 15:19 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Dirkjan Ochtman gentoo-dev 2013-02-20 10:12:12 UTC
Looks like part of this originates with dev-libs/libxml2.
Comment 2 Alexandre Rostovtsev (RETIRED) gentoo-dev 2013-02-20 14:58:04 UTC
The libxml2 side of things is fixed by dev-libs/libxml2-2.9.0-r2, which needs to be stabilized. (Note: please stabilize evolution-data-server-2.32.3-r3 at the same time - see bug #448798)

+*libxml2-2.9.0-r2 (20 Feb 2013)
+
+  20 Feb 2013; Alexandre Rostovtsev <tetromino@gentoo.org>
+  -libxml2-2.9.0.ebuild, +libxml2-2.9.0-r2.ebuild,
+  +files/libxml2-2.9.0-excessive-entity-expansion.patch:
+  Fix entity expansion DoS vulnerability (CVE-2013-1664, bug #458430, thanks to
+  Dirkjan Ochtman). Drop old.
Comment 3 Pacho Ramos gentoo-dev 2013-02-20 20:50:17 UTC
Alexandre, is dev-libs/libxml2-2.9 ready for Gnome 2.32? I am still running 2.8 because I read a comment from some gnome herd member (I don't remember who :S) suggesting to wait for Gnome3 for using libxml-2.9 :/
Comment 4 Alexandre Rostovtsev (RETIRED) gentoo-dev 2013-02-20 21:20:59 UTC
(In reply to comment #3)
> Alexandre, is dev-libs/libxml2-2.9 ready for Gnome 2.32? I am still running
> 2.8 because I read a comment from some gnome herd member (I don't remember
> who :S) suggesting to wait for Gnome3 for using libxml-2.9 :/

The only gnome-2.32 package that I know which used the old libxml2 buffer API is evolution-data-server, and I've fixed it by backporting the libxml2-2.9 compatibility patch from 3.6 to evolution-data-server-2.32.3-r3. If some other packages are affected, we can apply the same basic for fix them.

libxml2-2.9 has been unmasked for two months, and the only bug still open for it is games-rpg/eternal-lands (bug #449352) which doesn't have any stable versions in portage and so does not block libxml2-2.9.x stabilization.
Comment 5 Pacho Ramos gentoo-dev 2013-02-24 18:04:33 UTC
CCing arches to stabilize libxml2-2.9.0-r2
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2013-02-24 20:45:13 UTC
(In reply to comment #5)
> CCing arches to stabilize libxml2-2.9.0-r2

No, like this, please:

Arch teams, please test and mark stable:
=dev-libs/libxml2-2.9.0-r2
Stable KEYWORDS : alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2013-02-24 22:10:23 UTC
Stable for HPPA.
Comment 8 Agostino Sarubbo gentoo-dev 2013-02-25 12:09:21 UTC
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-02-25 12:09:39 UTC
x86 stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-02-25 21:50:32 UTC
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-02-25 22:12:38 UTC
ppc64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-02-26 10:21:17 UTC
alpha stable
Comment 13 Agostino Sarubbo gentoo-dev 2013-02-26 11:51:03 UTC
ia64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2013-02-26 12:00:30 UTC
arm stable
Comment 15 Agostino Sarubbo gentoo-dev 2013-02-26 13:13:20 UTC
sparc stable
Comment 16 Agostino Sarubbo gentoo-dev 2013-02-26 14:55:01 UTC
s390 stable
Comment 17 Agostino Sarubbo gentoo-dev 2013-03-01 12:40:59 UTC
sh stable
Comment 18 Tobias Heinlein (RETIRED) gentoo-dev 2013-03-24 19:54:49 UTC
Added to existing draft.
Comment 19 Agostino Sarubbo gentoo-dev 2013-03-25 16:05:43 UTC
missing m68k
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2013-04-11 16:41:22 UTC
CVE-2013-1664 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1664):
  OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and
  Folsom; and Cinder Folsom allows remote attackers to cause a denial of
  service (resource consumption and crash) via an XML Entity Expansion (XEE)
  attack.
Comment 21 Agostino Sarubbo gentoo-dev 2013-09-28 20:54:24 UTC
M68K is not anymore a stable arch, removing it from the cc list
Comment 22 GLSAMaker/CVETool Bot gentoo-dev 2013-11-10 15:19:00 UTC
This issue was resolved and addressed in
 GLSA 201311-06 at http://security.gentoo.org/glsa/glsa-201311-06.xml
by GLSA coordinator Sean Amoss (ackle).