Created attachment 434502 [details, diff] The patch for CVE-2016-0718 CVE-2016-0718: Expat XML Parser Crashes on Malformed Input Severity: Critical Versions Affected: All Expat XML Parser library versions Description: The Expat XML parser mishandles certain kinds of malformed input documents, resulting in buffer overflows during processing and error reporting. The overflows can manifest as a segmentation fault or as memory corruption during a parse operation. The bugs allow for a denial of service attack in many applications by an unauthenticated attacker, and could conceivably result in remote code execution. Mitigation: Applications that are using Expat should apply the attached patch as soon as possible. Credit: this issue was reported by Gustavo Grieco
Created attachment 434506 [details, diff] Hardening to previous CVE-2015-1283 in 2.1.1
Issue public via ${URL}
In Git. How do we proceed? https://github.com/gentoo/gentoo/commit/6bcf306fc93c86f15779e3e3f44ec856beb1414c
Arches, please stabilize =dev-libs/expat-2.1.1-r1 Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Stable on alpha.
Stable for PPC64.
Stable for HPPA.
amd64 stable
x86 stable
arm stable
CVE-2016-0718 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0718): Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow.
Added to existing GLSA.
ppc stable
sparc stable
ia64 stable. Maintainer(s), please cleanup.
(In reply to Agostino Sarubbo from comment #15) > Maintainer(s), please cleanup. I have removed 2.1.1 now (https://github.com/gentoo/gentoo/commit/41169f960485226b530b0b46dc1c55ea4ab7570f) BUT am unsure about the removal of 2.1.0-r5. It is marked stable on four more arches (arm64, m68k, s390, sh) than any later ebuild of Expat. Please confirm that non of these arches are stabilized any more and that you're good with removal of expat-2.1.0-r5.ebuild. Thanks!
(In reply to Sebastian Pipping from comment #16) > (In reply to Agostino Sarubbo from comment #15) > > Maintainer(s), please cleanup. > > I have removed 2.1.1 now > (https://github.com/gentoo/gentoo/commit/ > 41169f960485226b530b0b46dc1c55ea4ab7570f) > > BUT am unsure about the removal of 2.1.0-r5. It is marked stable on four > more arches (arm64, m68k, s390, sh) than any later ebuild of Expat. Please > confirm that non of these arches are stabilized any more and that you're > good with removal of expat-2.1.0-r5.ebuild. Thanks! Those arches are unsupported so removal is fine.
Good, 2.1.0-r5 removed now. https://github.com/gentoo/gentoo/commit/0905f87452499686c30270f737b728a88b059250
commit 16a87b549461e49ac8b7915d892d4d8ca187c1b1 Author: Sebastian Pipping <sping@g.o> Date: Tue Jul 26 21:23:09 2016 +0200 dev-libs/expat: CVE-2016-0718 regression fix Package-Manager: portage-2.2.28 dev-libs/expat/expat-2.1.1-r3.ebuild | 98 ++++++++++++++++++++++ .../{expat-2.2.0.ebuild => expat-2.2.0-r1.ebuild} | 4 + .../expat-2.1.1-CVE-2016-0718-regression.patch | 27 ++++++ 3 files changed, 129 insertions(+) https://github.com/gentoo/gentoo/commit/16a87b549461e49ac8b7915d892d4d8ca187c1b1 The fix itself does not close a vulnerability, but fixes a regression introduced with expat-2.1.1-CVE-2016-0718-v2-2-1.patch . I'm proposing to stabilize 2.1.1-r3. What do you think?
This issue was resolved and addressed in GLSA 201701-21 at https://security.gentoo.org/glsa/201701-21 by GLSA coordinator Aaron Bauman (b-man).