Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 584506 (CVE-2016-2099) - <dev-libs/xerces-c-3.1.4-r1: use after free (CVE-2016-2099)
Summary: <dev-libs/xerces-c-3.1.4-r1: use after free (CVE-2016-2099)
Status: RESOLVED FIXED
Alias: CVE-2016-2099
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [glsa cve]
Keywords:
Depends on:
Blocks: CVE-2016-0729
  Show dependency tree
 
Reported: 2016-05-30 08:07 UTC by Agostino Sarubbo
Modified: 2016-12-24 07:13 UTC (History)
1 user (show)

See Also:
Package list:
=dev-libs/xerces-c-3.1.4-r1
Runtime testing required: ---
kensington: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-05-30 08:07:56 UTC
From ${URL} :


We found a use-after-free in Xerces 3.1.3 parsing an xml file (also
affecting older versions). Technical details and a patch are available
here:

https://issues.apache.org/jira/browse/XERCESC-2066



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Agostino Sarubbo gentoo-dev 2016-06-30 10:08:14 UTC
the upstream patches was applied to the trunk.

See also:
http://svn.apache.org/viewvc?view=revision&revision=1747619
http://svn.apache.org/viewvc?view=revision&revision=1747620
Comment 2 David Seifert gentoo-dev 2016-10-15 09:34:06 UTC
3.1.4 contains the fix, please stabilize

commit 305cee3cfcf1b0a2a787aad8ae9c5ac854b2533d
Author: David Seifert <soap@gentoo.org>
Date:   Sat Oct 15 11:30:09 2016 +0200

    dev-libs/xerces-c: Version bump to 3.1.4
    
    Gentoo-bug: 584506
    * EAPI=6
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-10-15 11:51:49 UTC
@arches, please stabilize the following:

=dev-libs/xerces-c-3.1.4
Comment 4 Agostino Sarubbo gentoo-dev 2016-10-15 12:47:58 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2016-10-15 12:48:25 UTC
x86 stable
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-10-16 10:48:04 UTC
@Jer, why the version change to -r1?
Comment 7 David Seifert gentoo-dev 2016-10-16 11:01:44 UTC
-r1 includes the sample binaries in order for ago to perform his fuzzing tests. Hence, please stabilize -r1.
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2016-10-16 11:17:35 UTC
Stable on alpha.
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2016-10-17 04:52:06 UTC
Stable for HPPA PPC64.
Comment 10 Michael Palimaka (kensington) gentoo-dev 2016-12-18 17:25:50 UTC
An automated check of this bug failed - the following atom is unknown:

dev-libs/xerces-c-3.1.4

Please verify the atom list.
Comment 11 Michael Palimaka (kensington) gentoo-dev 2016-12-18 17:37:41 UTC
An automated check of this bug succeeded - the previous repoman errors are now resolved.
Comment 12 Agostino Sarubbo gentoo-dev 2016-12-19 14:36:04 UTC
sparc stable
Comment 13 Agostino Sarubbo gentoo-dev 2016-12-20 09:45:19 UTC
ppc stable.

Maintainer(s), please cleanup.
Comment 14 David Seifert gentoo-dev 2016-12-21 08:08:41 UTC
All old versions removed.

commit 44485bad3bbf280839f823b81a1051e56db5c93f
Author: David Seifert <soap@gentoo.org>
Date:   Wed Dec 21 09:07:45 2016 +0100

    dev-libs/xerces-c: Remove old
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2016-12-24 07:13:30 UTC
This issue was resolved and addressed in
 GLSA 201612-46 at https://security.gentoo.org/glsa/201612-46
by GLSA coordinator Aaron Bauman (b-man).