From ${URL} : Florian Weimer from Red Hat reported an issue against libxml2, where a parser which uses libxml2 chokes on a crafted XML document, allocating gigabytes of data. This is a fine line between API misuse and an libxml2 bug. Daniel Veillard have a fix for this issue already. Patch: https://git.gnome.org/browse/libxml2/commit/?id=213f1fe0d76d30eaed6e5853057defc43e6df2c9 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Thanks, fixed: +*libxml2-2.9.2-r1 (19 Apr 2015) + + 19 Apr 2015; Alexandre Rostovtsev <tetromino@gentoo.org> + +libxml2-2.9.2-r1.ebuild, +files/libxml2-2.9.2-constant-memory.patch, + +files/libxml2-2.9.2-missing-entities.patch, + +files/libxml2-2.9.2-threads-declarations.patch, + +files/libxml2-2.9.2-timsort.patch: + Add important patches from upstream, including a fix for a DoS vulnerability + (CVE-2015-1819, bug #546720, thanks to Agostino Sarubbo). =dev-libs/libxml2-2.9.2-r1 needs to be stabilized.
Arches, please test and mark stable: =dev-libs/libxml2-2.9.2-r1 Target Keywords : "alpha amd64 arm hppa ia64 ppc ppc64 spark x86" Thank you!
amd64 stable
x86 stable
Stable for HPPA.
Stable for PPC64.
sparc stable
ppc stable
ia64 stable
alpha stable
arm stable
Vulnerable versions have been removed. + 27 May 2015; Alexandre Rostovtsev <tetromino@gentoo.org> + -libxml2-2.9.2.ebuild: + Clean up vulnerable versions.
Arches and Maintainer(s), Thank you for your work. GLSA Vote: No
I would vote YES, but A3 should go straight to glsamaker anyway. Request filed.
This issue was resolved and addressed in GLSA 201507-08 at https://security.gentoo.org/glsa/201507-08 by GLSA coordinator Mikle Kolyada (Zlogene).
