Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 476438 (CVE-2013-2877) - <dev-libs/libxml2-2.9.1-r1: Unspecified Denial of Service Vulnerability (CVE-2013-2877)
Summary: <dev-libs/libxml2-2.9.1-r1: Unspecified Denial of Service Vulnerability (CVE-...
Status: RESOLVED FIXED
Alias: CVE-2013-2877
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/54112/
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks: CVE-2013-0338 CVE-2013-1969
  Show dependency tree
 
Reported: 2013-07-10 18:59 UTC by Agostino Sarubbo
Modified: 2013-11-10 15:19 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-07-10 18:59:18 UTC
From ${URL} :

Description

A vulnerability has been reported in Libxml2, which can be exploited by malicious people to cause a 
DoS (Denial of Service) in an application using the library.

The vulnerability is caused due to unspecified error when parsing XML files and can be exploited to 
cause a crash via specially crafted XML file.


Solution:
Fixed in the GIT repository.

Further details available to Secunia VIM customers

Provided and/or discovered by:
Aki Helin, OUSPG

Original Advisory:
Debian bug-tracker:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=715531


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Alexandre Rostovtsev (RETIRED) gentoo-dev 2013-07-10 19:29:10 UTC
This was fixed upstream in libxml2-2.9.1; we need to bump.
Comment 2 Alexandre Rostovtsev (RETIRED) gentoo-dev 2013-07-11 03:25:32 UTC
Fixed in 2.9.1, which now needs to be tested and stabilized everywhere.

@m68k arch maintainers, if you do not have the time to keep up with security stabilizations, please remove your stable keywords and declare that your arch is unstable like mips :/

+*libxml2-2.9.1 (11 Jul 2013)
+
+  11 Jul 2013; Alexandre Rostovtsev <tetromino@gentoo.org>
+  libxml2-2.8.0-r3.ebuild, -libxml2-2.8.0-r4.ebuild, -libxml2-2.9.0-r1.ebuild,
+  +libxml2-2.9.1.ebuild, +files/libxml2-2.9.1-compression-detection.patch,
+  +files/libxml2-2.9.1-missing-break.patch,
+  +files/libxml2-2.9.1-non-ascii-cr-lf.patch,
+  +files/libxml2-2.9.1-python-2.6.patch, +files/libxml2-2.9.1-python3.patch:
+  Version bump. Fixes denial-of-service vulnerability (bug #476438,
+  CVE-2013-2877, thanks to Agostino Sarubbo). Drop old versions, except for
+  2.8.0-r3 which for some reason was the only revision keyworded stable on
+  m68k.
Comment 3 Agostino Sarubbo gentoo-dev 2013-07-11 04:48:28 UTC
Arches, please test and mark stable:
=dev-libs/libxml2-2.9.1
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 4 Jeroen Roovers gentoo-dev 2013-07-11 11:55:25 UTC
Stable for HPPA.
Comment 5 Alexandre Rostovtsev (RETIRED) gentoo-dev 2013-07-12 05:17:15 UTC
For arches that haven't stabilized 2.9.1 yet, I suggest changing the stabilization target to =libxml2-2.9.1-r1 since it includes a fix for bug #476586
Comment 6 Agostino Sarubbo gentoo-dev 2013-07-12 20:40:50 UTC
amd64 stable
Comment 7 Jeroen Roovers gentoo-dev 2013-07-13 01:37:10 UTC
Stable for HPPA.
Comment 8 Agostino Sarubbo gentoo-dev 2013-07-13 07:48:17 UTC
x86 stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-07-13 17:59:59 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-07-13 19:10:22 UTC
ppc64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-07-14 14:18:17 UTC
alpha stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-07-14 17:37:26 UTC
arm stable
Comment 13 Agostino Sarubbo gentoo-dev 2013-07-21 15:52:46 UTC
ia64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2013-07-21 17:40:50 UTC
sh stable
Comment 15 Agostino Sarubbo gentoo-dev 2013-07-21 17:55:25 UTC
sparc stable
Comment 16 Agostino Sarubbo gentoo-dev 2013-08-06 12:32:47 UTC
s390 stable
Comment 17 Chris Reffett gentoo-dev Security 2013-08-23 14:57:35 UTC
GLSA request filed.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2013-08-27 03:26:12 UTC
CVE-2013-2877 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2877):
  parser.c in libxml2 before 2.9.0, as used in Google Chrome before
  28.0.1500.71 and other products, allows remote attackers to cause a denial
  of service (out-of-bounds read) via a document that ends abruptly, related
  to the lack of certain checks for the XML_PARSER_EOF state.
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2013-11-10 15:19:09 UTC
This issue was resolved and addressed in
 GLSA 201311-06 at http://security.gentoo.org/glsa/glsa-201311-06.xml
by GLSA coordinator Sean Amoss (ackle).