Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 573820 (CVE-2015-8806) - <dev-libs/libxml2-2.9.4: heap-buffer overread in dict.c
Summary: <dev-libs/libxml2-2.9.4: heap-buffer overread in dict.c
Status: RESOLVED FIXED
Alias: CVE-2015-8806
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A3 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-02-04 09:17 UTC by Agostino Sarubbo
Modified: 2017-01-16 21:25 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-02-04 09:17:28 UTC
From ${URL} :

A heap-buffer overread vulnerability was found in libxml2. A specially crafted file can cause the 
application to crash.

External bugzilla report with reproducer:

https://bugzilla.gnome.org/show_bug.cgi?id=749115

CVE assignment:

http://seclists.org/oss-sec/2016/q1/277


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann gentoo-dev Security 2016-11-19 00:08:00 UTC
Fix landed in v2.9.4: https://bugzilla.gnome.org/show_bug.cgi?id=758605#c5

v2.9.4 landed in Gentoo repository via https://gitweb.gentoo.org/repo/gentoo.git/commit/dev-libs/libxml2?id=b68f9389191396b4febff3e7b61f939189364426

Also, upstream changed tracking to CVE-2016-1839, see https://bugzilla.gnome.org/show_bug.cgi?id=749115#c9
Comment 2 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-11-19 04:05:01 UTC
Moving CVE alias to the proper bug 583888.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2017-01-16 21:23:47 UTC
This issue was resolved and addressed in
 GLSA 201701-37 at https://security.gentoo.org/glsa/201701-37
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2017-01-16 21:25:45 UTC
This issue was resolved and addressed in
 GLSA 201701-37 at https://security.gentoo.org/glsa/201701-37
by GLSA coordinator Thomas Deutschmann (whissi).