Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 719144 (CVE-2019-5427) - <dev-java/c3p0- Denial of service ("billion laughs") by recursive XML expansion (CVE-2019-5427)
Summary: <dev-java/c3p0- Denial of service ("billion laughs") by recursive XML...
Alias: CVE-2019-5427
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa? cve]
Keywords: PullRequest
Depends on: 831229
  Show dependency tree
Reported: 2020-04-24 02:03 UTC by GLSAMaker/CVETool Bot
Modified: 2022-01-18 20:00 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2020-04-24 02:03:47 UTC
CVE-2019-5427 (
  c3p0 version < may be exploited by a billion laughs attack when
  loading XML configuration due to missing protections against recursive
  entity expansion when loading configuration.
Comment 1 Larry the Git Cow gentoo-dev 2022-01-15 09:28:36 UTC
The bug has been closed via the following commit(s):

commit a412428273d4599a10dc6d15e926a35d61bf0bc3
Author:     Yuan Liao <>
AuthorDate: 2022-01-13 22:46:12 +0000
Commit:     Miroslav Šulc <>
CommitDate: 2022-01-15 09:28:33 +0000

    dev-java/c3p0: Add with EAPI 8, updated HOMEPAGE and LICENSE
    Signed-off-by: Yuan Liao <>
    Signed-off-by: Miroslav Šulc <>

 dev-java/c3p0/Manifest            |  1 +
 dev-java/c3p0/c3p0- | 57 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 58 insertions(+)
Comment 2 Miroslav Šulc gentoo-dev 2022-01-15 09:30:01 UTC
reverting back to confirmed
Comment 3 Larry the Git Cow gentoo-dev 2022-01-18 18:37:20 UTC
The bug has been referenced in the following commit(s):

commit 8e0cece5233dfea8da2e61d0db9d96456af2e0c2
Author:     Miroslav Šulc <>
AuthorDate: 2022-01-18 18:37:03 +0000
Commit:     Miroslav Šulc <>
CommitDate: 2022-01-18 18:37:03 +0000

    dev-java/c3p0: removed obsolete and vulnerable
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Miroslav Šulc <>

 dev-java/c3p0/Manifest            |  1 -
 dev-java/c3p0/c3p0- | 59 ---------------------------------------
 2 files changed, 60 deletions(-)
Comment 4 Miroslav Šulc gentoo-dev 2022-01-18 18:37:43 UTC
the tree is clean now, you can proceed.
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-01-18 20:00:24 UTC
Thank you!