Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 618110 (CVE-2017-8872) - <dev-libs/libxml2-2.9.8-r1: Out-of-bounds read in htmlParseTryOrFinish
Summary: <dev-libs/libxml2-2.9.8-r1: Out-of-bounds read in htmlParseTryOrFinish
Alias: CVE-2017-8872
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [noglsa cve]
Depends on:
Reported: 2017-05-10 13:08 UTC by Agostino Sarubbo
Modified: 2019-03-30 21:13 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-05-10 13:08:55 UTC
From ${URL} :

The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows attackers to cause a denial of service (buffer over-read) or information disclosure.

Upstream bug:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Larry the Git Cow gentoo-dev 2019-01-03 11:22:03 UTC
The bug has been referenced in the following commit(s):

commit 2ad6bf6d6f3dbe00df33a5399c6762fb0ae1867f
Author:     Mike Frysinger <>
AuthorDate: 2019-01-03 11:08:40 +0000
Commit:     Mike Frysinger <>
CommitDate: 2019-01-03 11:21:38 +0000

    dev-libs/libxml2: fix CVE-2017-8872 #618110
    Signed-off-by: Mike Frysinger <>

 .../files/libxml2-2.9.8-CVE-2017-8872.patch        |  65 ++++++
 dev-libs/libxml2/libxml2-2.9.8-r1.ebuild           | 217 +++++++++++++++++++++
 2 files changed, 282 insertions(+)
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2019-02-18 00:41:35 UTC
x86 stable
Comment 3 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-02-18 06:21:18 UTC
amd64 stable
Comment 4 Mart Raudsepp gentoo-dev 2019-02-18 08:06:03 UTC
arm64 stable
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2019-02-23 20:49:09 UTC
ia64 stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2019-02-23 20:51:06 UTC
hppa stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2019-02-23 20:59:54 UTC
ppc64 stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2019-02-23 21:02:11 UTC
ppc stable
Comment 9 Rolf Eike Beer archtester 2019-02-24 10:12:46 UTC
sparc stable
Comment 10 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-03-02 16:24:35 UTC
arm stable
Comment 11 Matt Turner gentoo-dev 2019-03-02 21:17:47 UTC
alpha stable
Comment 12 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-03-03 06:31:43 UTC
s390 stable
Comment 13 Mart Raudsepp gentoo-dev 2019-03-30 20:59:44 UTC
there were also CVE-2018-14404 and CVE-2018-14567 fixes in 2.9.8-r1 and 2.9.9.