See https://gitlab.gnome.org/GNOME/libxml2/-/commit/6c283d83eccd940bcde15634ac8c7f100e3caefd. """ In several places, the code handling string buffers didn't check for integer overflow or used wrong types for buffer sizes. This could result in out-of-bounds writes or other memory errors when working on large, multi-gigabyte buffers. Thanks to Felix Wilhelm for the report. """
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8bbbe5e4ec96f6c8b2d2858f9c23fa8a24a797f2 commit 8bbbe5e4ec96f6c8b2d2858f9c23fa8a24a797f2 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-05-03 00:38:04 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-05-03 00:39:01 +0000 dev-libs/libxml2: add 2.9.14 Bug: https://bugs.gentoo.org/842261 Closes: https://bugs.gentoo.org/582130 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/libxml2/Manifest | 1 + .../files/libxml2-2.9.13-testapi-missing-xml.patch | 9 - .../files/libxml2-2.9.8-out-of-tree-test.patch | 31 ++++ dev-libs/libxml2/libxml2-2.9.14.ebuild | 193 +++++++++++++++++++++ dev-libs/libxml2/libxml2-9999.ebuild | 51 +++--- 5 files changed, 255 insertions(+), 30 deletions(-)
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=adf5474fd11ba8a07548c5e37fac5e66db57a112 commit adf5474fd11ba8a07548c5e37fac5e66db57a112 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-10-16 14:40:08 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-10-16 14:45:20 +0000 [ GLSA 202210-03 ] libxml2: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/833809 Bug: https://bugs.gentoo.org/842261 Bug: https://bugs.gentoo.org/865727 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202210-03.xml | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+)
GLSA released, all done!