Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 833809 (CVE-2022-23308) - <dev-libs/libxml2-2.9.13: multiple vulnerabilities
Summary: <dev-libs/libxml2-2.9.13: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2022-23308
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://gitlab.gnome.org/GNOME/libxml...
Whiteboard: A3 [glsa+]
Keywords:
Depends on: 834458
Blocks:
  Show dependency tree
 
Reported: 2022-02-20 20:43 UTC by John Helmert III
Modified: 2022-10-16 14:55 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-20 20:43:53 UTC
From URL:

"Security:
  [CVE-2022-23308] Use-after-free of ID and IDREF attributes
  (Thanks to Shinji Sato for the report)
  Use-after-free in xmlXIncludeCopyRange (David Kilzer)
  Fix Null-deref-in-xmlSchemaGetComponentTargetNs (huangduirong)
  Fix memory leak in xmlXPathCompNodeTest
  Fix null pointer deref in xmlStringGetNodeList
  Fix several memory leaks found by Coverity (David King)"
Comment 1 Larry the Git Cow gentoo-dev 2022-02-21 01:13:35 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2c38911533cea511c6c5a318e517da7d6df96ecb

commit 2c38911533cea511c6c5a318e517da7d6df96ecb
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-02-21 01:10:59 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-02-21 01:10:59 +0000

    dev-libs/libxml2: add 2.9.13
    
    Bug: https://bugs.gentoo.org/833809
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/libxml2/Manifest              |   1 +
 dev-libs/libxml2/libxml2-2.9.13.ebuild | 240 +++++++++++++++++++++++++++++++++
 2 files changed, 241 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2022-02-21 02:00:47 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ac5e34e355b38781725f213dc32976bc0467b16b

commit ac5e34e355b38781725f213dc32976bc0467b16b
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-02-21 01:59:57 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-02-21 02:00:27 +0000

    dev-libs/libxml2: restore LDFLAGS patch; drop unnecessary test patch
    
    Bug: https://bugs.gentoo.org/833809
    Signed-off-by: Sam James <sam@gentoo.org>

 .../libxml2/{libxml2-2.9.13.ebuild => libxml2-2.9.13-r1.ebuild}     | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-14 03:32:12 UTC
GLSA request filed
Comment 4 Larry the Git Cow gentoo-dev 2022-10-16 14:46:11 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=adf5474fd11ba8a07548c5e37fac5e66db57a112

commit adf5474fd11ba8a07548c5e37fac5e66db57a112
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-16 14:40:08 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-16 14:45:20 +0000

    [ GLSA 202210-03 ] libxml2: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/833809
    Bug: https://bugs.gentoo.org/842261
    Bug: https://bugs.gentoo.org/865727
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-03.xml | 45 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-16 14:55:08 UTC
GLSA released, all done!