From ${URL} : The Xerces-C XML parser mishandles certain kinds of malformed input documents, resulting in buffer overlows during processing and error reporting. The overflows can manifest as a segmentation fault or as memory corruption during a parse operation. The bugs allow for a denial of service attack in many applications by an unauthenticated attacker, and could conceivably result in remote code execution. External references: http://xerces.apache.org/xerces-c/secadv/CVE-2016-0729.txt Upstream patch: http://svn.apache.org/viewvc?view=revision&revision=1727978 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Should have been fixed with 3.1.3 already. commit 305cee3cfcf1b0a2a787aad8ae9c5ac854b2533d Author: David Seifert <soap@gentoo.org> Date: Sat Oct 15 11:30:09 2016 +0200 dev-libs/xerces-c: Version bump to 3.1.4 Gentoo-bug: 584506 * EAPI=6
Confirmed this is fixed in =dev-libs/xerces-c-3.1.3 GLSA request opened.
This issue was resolved and addressed in GLSA 201612-46 at https://security.gentoo.org/glsa/201612-46 by GLSA coordinator Aaron Bauman (b-man).