Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 623206 (CVE-2017-7375) - <dev-libs/libxml2-2.9.4-r3: Missing validation for external entities in xmlParsePEReference (CVE-2017-7375)
Summary: <dev-libs/libxml2-2.9.4-r3: Missing validation for external entities in xmlPa...
Alias: CVE-2017-7375
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa cve]
Depends on:
Blocks: CVE-2017-5969 CVE-2016-9318 CVE-2017-0663, CVE-2017-9047, CVE-2017-9048, CVE-2017-9049, CVE-2017-9050 622914
  Show dependency tree
Reported: 2017-06-30 21:46 UTC by Volkan
Modified: 2018-07-28 10:35 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Volkan 2017-06-30 21:46:32 UTC
Missing validation for external entities was found in xmlParsePEReference that can lead to XXE attack.

Upstream bug (private at the moment):

Android patch:

Comment 1 Gilles Dartiguelongue (RETIRED) gentoo-dev 2017-08-23 07:34:41 UTC
Patch for this issue have been pushed in libxml-2.9.4-r2.

Please note that:
* patches where cherry-picked from upstream master according to information found in this ticket, some patches were harder to find due to upstream blocking access to it.
* unittests in the ebuild are actually not being run for a long time certainly due to a problem when porting to multilib. Maybe it existed before, didn't check yet.

Anyway, as lots of other security related fixes are pending an upstream release, I pushed this as a stop gap until I get more time to do a proper snapshot and fix these unittests issues.
Comment 2 Gilles Dartiguelongue (RETIRED) gentoo-dev 2017-08-24 22:51:05 UTC
After pushing r2, I found out Debian had just pushed its DSA as well so I updated our patch stack with patches referenced in their package.
Comment 3 Gilles Dartiguelongue (RETIRED) gentoo-dev 2017-08-24 22:57:24 UTC
Hello arches,

please test and stabilize dev-libs/libxml-2.9.4-r3 that ships with several security related patches. While working on this, I figured test-suite was inadvertently disabled when the ebuild has been converted to multilib so I took the opportunity to reactivate it and disabled the one failing test I found (there was a couple more failing in r2).

This revision should cover the following security bugs:

And non security bug:
Comment 4 Stabilization helper bot gentoo-dev 2017-08-24 23:00:40 UTC
An automated check of this bug failed - the following atom is unknown:


Please verify the atom list.
Comment 5 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2017-08-25 22:11:17 UTC
amd64 stable
Comment 6 Matt Turner gentoo-dev 2017-08-25 22:34:58 UTC
alpha stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2017-08-26 09:54:38 UTC
ia64 stable
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2017-08-29 20:43:13 UTC
x86 stable
Comment 9 Markus Meier gentoo-dev 2017-09-05 04:39:29 UTC
arm stable
Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-10 19:49:18 UTC
sparc stable (thanks to Dakon)
Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-11 19:13:45 UTC
hppa stable (thanks to Dakon)
Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-25 21:15:19 UTC
ppc64 stable
Comment 13 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-25 21:52:10 UTC
ppc stable
Comment 14 D'juan McDonald (domhnall) 2017-10-14 07:01:56 UTC
Thank you arches,

@security, please add to CVE and vote on glsa.
Comment 15 D'juan McDonald (domhnall) 2017-10-14 08:11:38 UTC
@maintainer(s) please clean up...apologies for rushing.
Comment 16 Aaron Bauman (RETIRED) gentoo-dev 2017-10-30 00:20:48 UTC
This and all related bugs added to GLSA request.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2017-11-10 03:49:30 UTC
This issue was resolved and addressed in
 GLSA 201711-01 at
by GLSA coordinator Christopher Diaz Riveros (chrisadr).
Comment 18 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-10 03:53:11 UTC
@Maintainers Re-opening for cleanup.

@arm64 please try to finish stabilization.

Thank you
Comment 19 Aaron Bauman (RETIRED) gentoo-dev 2018-01-17 14:11:42 UTC
Cleanup will be tracked in bug #644574.