Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 575700 (CVE-2016-0729) - <dev-libs/xerces-c-3.1.3: parser crashes on malformed input (CVE-2016-0729)
Summary: <dev-libs/xerces-c-3.1.3: parser crashes on malformed input (CVE-2016-0729)
Status: RESOLVED FIXED
Alias: CVE-2016-0729
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B2 [glsa cve]
Keywords:
Depends on: CVE-2016-2099
Blocks:
  Show dependency tree
 
Reported: 2016-02-26 09:22 UTC by Agostino Sarubbo
Modified: 2016-12-24 07:13 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-02-26 09:22:14 UTC
From ${URL} :

The Xerces-C XML parser mishandles certain kinds of malformed
input documents, resulting in buffer overlows during processing and error
reporting. The overflows can manifest as a segmentation fault or as memory
corruption during a parse operation. The bugs allow for a denial of service
attack in many applications by an unauthenticated attacker, and could
conceivably result in remote code execution.

External references:

http://xerces.apache.org/xerces-c/secadv/CVE-2016-0729.txt

Upstream patch:

http://svn.apache.org/viewvc?view=revision&revision=1727978


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 David Seifert gentoo-dev 2016-10-15 09:33:42 UTC
Should have been fixed with 3.1.3 already.

commit 305cee3cfcf1b0a2a787aad8ae9c5ac854b2533d
Author: David Seifert <soap@gentoo.org>
Date:   Sat Oct 15 11:30:09 2016 +0200

    dev-libs/xerces-c: Version bump to 3.1.4
    
    Gentoo-bug: 584506
    * EAPI=6
Comment 2 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-10-15 11:39:59 UTC
Confirmed this is fixed in =dev-libs/xerces-c-3.1.3

GLSA request opened.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2016-12-24 07:13:22 UTC
This issue was resolved and addressed in
 GLSA 201612-46 at https://security.gentoo.org/glsa/201612-46
by GLSA coordinator Aaron Bauman (b-man).