Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 817863 (CVE-2021-42260) - <dev-libs/tinyxml-2.6.2-r5: infinite loop (CVE-2021-42260)
Summary: <dev-libs/tinyxml-2.6.2-r5: infinite loop (CVE-2021-42260)
Alias: CVE-2021-42260
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [cleanup glsa?]
Depends on: 915341
  Show dependency tree
Reported: 2021-10-12 14:14 UTC by John Helmert III
Modified: 2023-10-09 06:00 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-10-12 14:14:17 UTC

TinyXML through 2.6.2 has an infinite loop in TiXmlParsingData::Stamp in tinyxmlparser.cpp via the TIXML_UTF_LEAD_0 case. It can be triggered by a crafted XML message and leads to a denial of service.
Comment 2 Larry the Git Cow gentoo-dev 2023-08-27 08:42:57 UTC
The bug has been referenced in the following commit(s):

commit d139a435333edbdb81869e7d4b984a7535e9eda8
Author:     Bernard Cafarelli <>
AuthorDate: 2023-08-27 08:42:10 +0000
Commit:     Bernard Cafarelli <>
CommitDate: 2023-08-27 08:42:53 +0000

    dev-libs/tinyxml: bump to add infinite loop patch
    Signed-off-by: Bernard Cafarelli <>

 .../files/tinyxml-2.6.2-CVE-2021-42260.patch       | 23 ++++++++
 dev-libs/tinyxml/tinyxml-2.6.2-r5.ebuild           | 68 ++++++++++++++++++++++
 2 files changed, 91 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-10-07 18:21:23 UTC