From ${URL} : The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows attackers to cause a denial of service (buffer over-read) or information disclosure. Upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=775200 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2ad6bf6d6f3dbe00df33a5399c6762fb0ae1867f commit 2ad6bf6d6f3dbe00df33a5399c6762fb0ae1867f Author: Mike Frysinger <vapier@chromium.org> AuthorDate: 2019-01-03 11:08:40 +0000 Commit: Mike Frysinger <vapier@gentoo.org> CommitDate: 2019-01-03 11:21:38 +0000 dev-libs/libxml2: fix CVE-2017-8872 #618110 Bug: https://bugs.gentoo.org/618110 Signed-off-by: Mike Frysinger <vapier@gentoo.org> .../files/libxml2-2.9.8-CVE-2017-8872.patch | 65 ++++++ dev-libs/libxml2/libxml2-2.9.8-r1.ebuild | 217 +++++++++++++++++++++ 2 files changed, 282 insertions(+)
x86 stable
amd64 stable
arm64 stable
ia64 stable
hppa stable
ppc64 stable
ppc stable
sparc stable
arm stable
alpha stable
s390 stable
there were also CVE-2018-14404 and CVE-2018-14567 fixes in 2.9.8-r1 and 2.9.9.