Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 644574 - <dev-libs/libxml2-2.9.6: Use-after-free memory corruption (CVE-2017-15412)
Summary: <dev-libs/libxml2-2.9.6: Use-after-free memory corruption (CVE-2017-15412)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://xmlsoft.org/news.html
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-01-14 16:50 UTC by Ian Zimmerman
Modified: 2018-03-09 15:26 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ian Zimmerman 2018-01-14 16:50:01 UTC
According to the summary in the Chromium bug tracker [1]:

When calling XPath functions, the XPath engine of libxml2 fails to verify correct stack usage. This isn't a problem in most cases where functions report an error to the XPath engine, because this usually leads to an early exit from the XPath evaluation. But if a function fails to signal an error and leaves the stack in an unexpected state, the evaluation continues.

RedHat bugzilla entry [2]

Upstream patch [3]

[1]
https://bugs.chromium.org/p/chromium/issues/detail?id=727039

[2]
https://bugzilla.redhat.com/show_bug.cgi?id=1523128

[3]
https://git.gnome.org/browse/libxml2/commit/?id=0f3b843b3534784ef57a4f9b874238aa1fda5a73
Comment 1 D'juan McDonald (domhnall) 2018-01-16 13:21:15 UTC
@maintainer(s): please call for stabilization when ready, thank you.



Fix XPath stack frame logic - v2.9.6-rc1



Gentoo Security Padawan
(jmbailey/mbailey_j)
Comment 2 Mart Raudsepp gentoo-dev 2018-01-16 16:39:28 UTC
Call what stable? All security supported arches have had libxml2 2.9.6 stable since 27th December.
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-01-17 14:07:01 UTC
(In reply to Mart Raudsepp from comment #2)
> Call what stable? All security supported arches have had libxml2 2.9.6
> stable since 27th December.

Mart, thanks for the update.  2.9.6 indeed has the patch.  Unstable arches pending stabilization.  Cleanup when possible or mask vulnerable versions please.
Comment 4 Larry the Git Cow gentoo-dev 2018-01-21 01:44:33 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a7a0ef2da5c03fcf9e96baad04bff6f942e73575

commit a7a0ef2da5c03fcf9e96baad04bff6f942e73575
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2018-01-21 01:43:48 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2018-01-21 01:44:25 +0000

    dev-libs/libxml2: security cleanup
    
    Bug: https://bugs.gentoo.org/644574
    Package-Manager: Portage-2.3.19, Repoman-2.3.6

 dev-libs/libxml2/libxml2-2.9.4-r1.ebuild |   4 +-
 dev-libs/libxml2/libxml2-2.9.4-r3.ebuild | 239 -------------------------------
 2 files changed, 2 insertions(+), 241 deletions(-)}
Comment 5 Larry the Git Cow gentoo-dev 2018-03-02 16:09:24 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=783baf3271249d8e234cd806650191181ef03c9c

commit 783baf3271249d8e234cd806650191181ef03c9c
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2018-03-02 14:32:11 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2018-03-02 16:08:50 +0000

    dev-libs/libxml2: security cleanup
    
    Bug: https://bugs.gentoo.org/644574
    Package-Manager: Portage-2.3.19, Repoman-2.3.6

 dev-libs/libxml2/Manifest                          |   1 -
 .../files/libxml2-2.9.2-disable-tests.patch        |  68 ------
 .../files/libxml2-2.9.4-CVE-2016-4658.patch        | 249 ---------------------
 .../files/libxml2-2.9.4-CVE-2016-5131.patch        | 174 --------------
 .../libxml2/files/libxml2-2.9.4-nullptrderef.patch |  50 -----
 .../files/libxml2-2.9.4-nullptrderef2.patch        |  57 -----
 dev-libs/libxml2/libxml2-2.9.4-r1.ebuild           | 220 ------------------
 7 files changed, 819 deletions(-)}
Comment 6 Mart Raudsepp gentoo-dev 2018-03-02 16:10:18 UTC
cleanup done