Missing validation for external entities was found in xmlParsePEReference that can lead to XXE attack. Upstream bug (private at the moment): https://bugzilla.gnome.org/show_bug.cgi?id=780691 Android patch: https://android.googlesource.com/platform/external/libxml2/+/308396a55280f69ad4112d4f9892f4cbeff042aa References: https://source.android.com/security/bulletin/2017-06-01#libraries
Patch for this issue have been pushed in libxml-2.9.4-r2. Please note that: * patches where cherry-picked from upstream master according to information found in this ticket, some patches were harder to find due to upstream blocking access to it. * unittests in the ebuild are actually not being run for a long time certainly due to a problem when porting to multilib. Maybe it existed before, didn't check yet. Anyway, as lots of other security related fixes are pending an upstream release, I pushed this as a stop gap until I get more time to do a proper snapshot and fix these unittests issues.
After pushing r2, I found out Debian had just pushed its DSA as well so I updated our patch stack with patches referenced in their package.
Hello arches, please test and stabilize dev-libs/libxml-2.9.4-r3 that ships with several security related patches. While working on this, I figured test-suite was inadvertently disabled when the ebuild has been converted to multilib so I took the opportunity to reactivate it and disabled the one failing test I found (there was a couple more failing in r2). This revision should cover the following security bugs: https://bugs.gentoo.org/show_bug.cgi?id=599192 https://bugs.gentoo.org/show_bug.cgi?id=618604 https://bugs.gentoo.org/show_bug.cgi?id=623206 https://bugs.gentoo.org/show_bug.cgi?id=622914 https://bugs.gentoo.org/show_bug.cgi?id=605208 And non security bug: https://bugs.gentoo.org/show_bug.cgi?id=586886
An automated check of this bug failed - the following atom is unknown: dev-libs/libxml-2.9.4-r3 Please verify the atom list.
amd64 stable
alpha stable
ia64 stable
x86 stable
arm stable
sparc stable (thanks to Dakon)
hppa stable (thanks to Dakon)
ppc64 stable
ppc stable
Thank you arches, @security, please add to CVE and vote on glsa.
@maintainer(s) please clean up...apologies for rushing.
This and all related bugs added to GLSA request.
This issue was resolved and addressed in GLSA 201711-01 at https://security.gentoo.org/glsa/201711-01 by GLSA coordinator Christopher Diaz Riveros (chrisadr).
@Maintainers Re-opening for cleanup. @arm64 please try to finish stabilization. Thank you
Cleanup will be tracked in bug #644574.