From ${URL} : It was found that original patch for issues CVE-2015-1283 and CVE-2015-2716 used overflow checks that could be optimized out by some compilers applying certain optimization settings, which can cause the vulnerability to remain even after applying the patch. One pattern in the fix for CVE-2015-1283/CVE-2015-2716 is: /* bufferSize is positive here */ do { bufferSize *= 2; } while (bufferSize < neededSize && bufferSize > 0); if (bufferSize <= 0) { errorCode = XML_ERROR_NO_MEMORY; return NULL; Any of the modern optimizing compiler, IF able to infer that bufferSize is initially positive (which is true but not obvious to see through local reasoning), will eliminate bufferSize > 0 as always true when the execution is defined, and bufferSize <= 0 as always false when the execution is defined. Without knowing that bufferSize starts positive, an optimizing compiler could also move the test bufferSize > 0 out of the loop, that is, compile the code as if it had been written: if (bufferSize <= 0) errorCode = XML_ERROR_NO_MEMORY; return NULL; else { do { bufferSize *= 2; } while (bufferSize < neededSize); } Both cases leads to not eliminating the vulnerability. Upstream patch: https://sourceforge.net/p/expat/code_git/ci/f0bec73b018caa07d3e75ec8dd967f3785d71bde/tree/expat/lib/xmlparse.c?diff=a238d7ea7a715ef3850c4cbdd86aeda7077b6bbc @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE-2016-4472 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4472): The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted XML data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1283 and CVE-2015-2716.
From https://sourceforge.net/p/expat/code_git/ci/master/tree/expat/Changes: > Release 2.2.0 Tue June 21 2016 > Security fixes: > #537 CVE-2016-0718 -- Fix crash on malformed input > CVE-2016-4472 -- Improve insufficient fix to CVE-2015-1283 / > CVE-2015-2716 introduced with Expat 2.1.1 > #499 CVE-2016-5300 -- Use more entropy for hash initialization > than the original fix to CVE-2012-0876 > #519 CVE-2012-6702 -- Resolve troublesome internal call to srand > that was introduced with Expat 2.1.0 > when addressing CVE-2012-0876 (issue #496) v2.2.0 is in Gentoo repository available since https://gitweb.gentoo.org/repo/gentoo.git/commit/dev-libs/expat?id=d32fd3265a5a1e4297d542c55c9417f98beff4b8 @ Arches, please test and mark stable: =dev-libs/expat-2.2.0-r1 Stable target(s): alpha amd64 arm arm64 hppa ia64 m68k ppc ppc64 s390 sh sparc x86
Removing unstable arches.
amd64 stable
x86 stable
Stable on alpha.
arm stable
sparc stable
ia64 stable
ppc stable
ppc64 stable
ping for final arch
Stable for HPPA.
Added to existing GLSA request. @ Maintainer(s): Please cleanup and drop <dev-libs/expat-2.2.0-r1!
cleaned
This issue was resolved and addressed in GLSA 201701-21 at https://security.gentoo.org/glsa/201701-21 by GLSA coordinator Aaron Bauman (b-man).