Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 589816 - <dev-libs/libxml2-2.9.4-r1: use-after-free (CVE-2016-5131)
Summary: <dev-libs/libxml2-2.9.4-r1: use-after-free (CVE-2016-5131)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://googlechromereleases.blogspot....
Whiteboard: A2 [glsa cve blocked]
Keywords:
Depends on: 597116
Blocks:
  Show dependency tree
 
Reported: 2016-07-27 08:09 UTC by Agostino Sarubbo
Modified: 2017-01-16 21:26 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-07-27 08:09:05 UTC
From ${URL} :

[$3500][623378] High CVE-2016-5131: Use-after-free in libxml. Credit to Nick Wellnhofer


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 2 Thomas Deutschmann gentoo-dev Security 2016-11-19 00:50:50 UTC
This is CVE-2016-5131 (already taken by bug 589278).

@ Maintainer(s): Please consider applying this fix via rev-bump.
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-11-19 01:14:39 UTC

*** This bug has been marked as a duplicate of bug 589278 ***
Comment 4 Agostino Sarubbo gentoo-dev 2016-11-19 09:18:45 UTC
This is not a duplicate.

Libxml has a vulnerability. Chrome/chromium uses an its own bundled version, so if this issue is resolved in the bundled libxml version in chromium we need to fix it in the tree.
Comment 5 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-11-19 09:34:49 UTC
(In reply to Agostino Sarubbo from comment #4)
> This is not a duplicate.
> 
> Libxml has a vulnerability. Chrome/chromium uses an its own bundled version,
> so if this issue is resolved in the bundled libxml version in chromium we
> need to fix it in the tree.

Yes, it is a duplicate because you filed it against dev-libs/libxml2, which already has a bug filed.  www-client/chromium does not bundle libxml2.  If you want to open a proper bug then file it against www-client/google-chrome which does bundle libxml2.  Security will work with the maintainer to identify a proper course of action concerning www-client/google-chrome.

*** This bug has been marked as a duplicate of bug 589278 ***
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-11-19 09:44:54 UTC
(In reply to Aaron Bauman from comment #5)
> (In reply to Agostino Sarubbo from comment #4)
> > This is not a duplicate.
> > 
> > Libxml has a vulnerability. Chrome/chromium uses an its own bundled version,
> > so if this issue is resolved in the bundled libxml version in chromium we
> > need to fix it in the tree.
> 
> Yes, it is a duplicate because you filed it against dev-libs/libxml2, which
> already has a bug filed.  www-client/chromium does not bundle libxml2.  If
> you want to open a proper bug then file it against www-client/google-chrome
> which does bundle libxml2.  Security will work with the maintainer to
> identify a proper course of action concerning www-client/google-chrome.
> 
> *** This bug has been marked as a duplicate of bug 589278 ***

Sorry, there is no bug open for libxml2 already.  I see what you mean.  My mistake.
Comment 7 Agostino Sarubbo gentoo-dev 2016-11-19 10:09:01 UTC
(In reply to Aaron Bauman from comment #6)
> Sorry, there is no bug open for libxml2 already.  I see what you mean.  My
> mistake.

No problem :)
Comment 8 Teika kazura 2016-12-24 07:13:40 UTC
You may already know it, but Debian released a fix for CVE-2016-4658 (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840553) and CVE-2016-5131 (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840554). See also https://www.debian.org/security/2016/dsa-3744

This release is Debian's own one. Upstream has not fixed CVE-2016-9318 which affects libxml2-2.9.4 and earliear.

BTW the last CVE item does not seem to be reported to Gentoo.

Thanks Gentoo devs.Best regards.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2017-01-16 21:26:23 UTC
This issue was resolved and addressed in
 GLSA 201701-37 at https://security.gentoo.org/glsa/201701-37
by GLSA coordinator Thomas Deutschmann (whissi).