Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 694362 (CVE-2019-15903) - <dev-libs/expat-2.2.8: heap-based buffer over-read via crafted XML input (CVE-2019-15903)
Summary: <dev-libs/expat-2.2.8: heap-based buffer over-read via crafted XML input (CVE...
Status: RESOLVED FIXED
Alias: CVE-2019-15903
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://cve.mitre.org/cgi-bin/cvename...
Whiteboard: A3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-09-14 13:44 UTC by Sebastian Pipping
Modified: 2019-11-25 00:19 UTC (History)
0 users

See Also:
Package list:
=dev-libs/expat-2.2.8
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Pipping gentoo-dev 2019-09-14 13:44:14 UTC
I think we should stabilize 2.2.8 to get our users on safe ground.
Comment 1 Stabilization helper bot gentoo-dev 2019-09-14 13:59:38 UTC
An automated check of this bug failed - repoman reported dependency errors (6 lines truncated): 

> dependency.bad dev-libs/expat/expat-2.2.8.ebuild: BDEPEND: arm64(default/linux/arm64/17.0) ['app-text/docbook2X']
> dependency.bad dev-libs/expat/expat-2.2.8.ebuild: BDEPEND: arm64(default/linux/arm64/17.0/desktop) ['app-text/docbook2X']
> dependency.bad dev-libs/expat/expat-2.2.8.ebuild: BDEPEND: arm64(default/linux/arm64/17.0/desktop/gnome) ['app-text/docbook2X']
Comment 2 Sebastian Pipping gentoo-dev 2019-09-14 18:34:47 UTC
(In reply to Stabilization helper bot from comment #1)
> An automated check of this bug failed - repoman reported dependency errors
> (6 lines truncated): 
> 
> > dependency.bad dev-libs/expat/expat-2.2.8.ebuild: BDEPEND: arm64(default/linux/arm64/17.0) ['app-text/docbook2X']
> > dependency.bad dev-libs/expat/expat-2.2.8.ebuild: BDEPEND: arm64(default/linux/arm64/17.0/desktop) ['app-text/docbook2X']
> > dependency.bad dev-libs/expat/expat-2.2.8.ebuild: BDEPEND: arm64(default/linux/arm64/17.0/desktop/gnome) ['app-text/docbook2X']

Give me a second, I have an idea how to drop that dependency again...
Comment 3 Larry the Git Cow gentoo-dev 2019-09-14 18:39:27 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a3857d108c142a4bf4d69df8fcf1e9d46c6b6609

commit a3857d108c142a4bf4d69df8fcf1e9d46c6b6609
Author:     Sebastian Pipping <sping@gentoo.org>
AuthorDate: 2019-09-14 18:38:29 +0000
Commit:     Sebastian Pipping <sping@gentoo.org>
CommitDate: 2019-09-14 18:38:39 +0000

    dev-libs/expat: Make use of shipped pre-compiled man page
    
    Bug: https://bugs.gentoo.org/694362
    Signed-off-by: Sebastian Pipping <sping@gentoo.org>
    Package-Manager: Portage-2.3.68, Repoman-2.3.16

 dev-libs/expat/expat-2.2.8.ebuild | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)
Comment 4 Sebastian Pipping gentoo-dev 2019-09-14 18:40:23 UTC
Done :)
Comment 5 Rolf Eike Beer archtester 2019-09-14 23:39:09 UTC
hppa/sparc stable
Comment 6 Stabilization helper bot gentoo-dev 2019-09-15 00:02:18 UTC
An automated check of this bug succeeded - the previous repoman errors are now resolved.
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2019-09-15 03:51:27 UTC
arm64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2019-09-16 07:56:30 UTC
x86 stable
Comment 9 Agostino Sarubbo gentoo-dev 2019-09-16 07:57:36 UTC
amd64 stable
Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev 2019-09-16 22:10:40 UTC
ia64/ppc/ppc64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2019-09-20 12:10:17 UTC
s390 stable
Comment 12 Matt Turner gentoo-dev 2019-09-21 01:00:27 UTC
alpha stable
Comment 13 Thomas Deutschmann (RETIRED) gentoo-dev 2019-09-24 11:39:40 UTC
New GLSA request filed.
Comment 14 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-09-26 20:03:05 UTC
arm stable
Comment 15 Thomas Deutschmann (RETIRED) gentoo-dev 2019-10-25 11:28:47 UTC
@ maintainer(s): Please cleanup and drop <dev-libs/expat-2.2.8!
Comment 16 Larry the Git Cow gentoo-dev 2019-10-26 10:44:24 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8a865e40bcced3a011bfaf0f48e8e3ca24720121

commit 8a865e40bcced3a011bfaf0f48e8e3ca24720121
Author:     Sebastian Pipping <sping@gentoo.org>
AuthorDate: 2019-10-26 10:43:19 +0000
Commit:     Sebastian Pipping <sping@gentoo.org>
CommitDate: 2019-10-26 10:44:11 +0000

    dev-libs/expat: Remove vulnerable
    
    Bug: https://bugs.gentoo.org/694362
    Signed-off-by: Sebastian Pipping <sping@gentoo.org>
    Package-Manager: Portage-2.3.68, Repoman-2.3.16

 dev-libs/expat/Manifest           |  2 -
 dev-libs/expat/expat-2.2.6.ebuild | 97 ---------------------------------------
 dev-libs/expat/expat-2.2.7.ebuild | 96 --------------------------------------
 3 files changed, 195 deletions(-)
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2019-11-25 00:19:28 UTC
This issue was resolved and addressed in
 GLSA 201911-08 at https://security.gentoo.org/glsa/201911-08
by GLSA coordinator Aaron Bauman (b-man).