Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 345555 (CVE-2010-4008) - <dev-libs/libxml2-2.7.8: Double Free and Denial of Service Vulnerabilities (CVE-2010-{4008,4494})
Summary: <dev-libs/libxml2-2.7.8: Double Free and Denial of Service Vulnerabilities (C...
Alias: CVE-2010-4008
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa]
: 351954 353208 (view as bug list)
Depends on: 352961
  Show dependency tree
Reported: 2010-11-15 04:06 UTC by Tim Sammut (RETIRED)
Modified: 2012-09-11 00:14 UTC (History)
7 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2010-11-15 04:06:27 UTC
From $URL:

XPATH is a language querying content from XML documents. The vulnerability lies in the module processing this query language. Specifically, libxml2 does not well process a malformed XPATH, causing crash.

To exploit this vulnerability, hacker may send user a link containing malicious XPATH. When user opens this link, the malicious code will be executed, attacking user’s system.

The Red Hat bug ( lists two upstream commits as fixing the issue:

In any case, 2.7.8 has been released and is fixed.
Comment 1 Chris Mayo 2010-12-20 20:43:21 UTC
If you do use 2.7.8 do add the patch from:

else a lot of complaints like:
/usr/lib/ no version information available
Comment 2 Pacho Ramos gentoo-dev 2010-12-20 21:59:38 UTC
(In reply to comment #1)
> else a lot of complaints like:
> /usr/lib/ no version information available

Yes, I tried to bump libxml2 some days ago but these messages prevented me from committing it :-S, hopefully any other gnome team member will know where could be the problem :-/
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2011-01-01 16:36:22 UTC
Another libxml2 vulnerability has been announced. CVE-2010-4494 is for a Double Free vulnerability in libxml2 through 2.7.8. Upstream fixes at:

Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-01-17 23:57:08 UTC
*** Bug 351954 has been marked as a duplicate of this bug. ***
Comment 5 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-01-30 10:06:59 UTC
*** Bug 353208 has been marked as a duplicate of this bug. ***
Comment 6 Pacho Ramos gentoo-dev 2011-02-11 17:31:06 UTC
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2011-02-12 18:59:38 UTC
(In reply to comment #6)
> Bumped

Awesome, thank you.

Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2011-02-13 00:56:44 UTC
x86 stable
Comment 9 Markos Chandras (RETIRED) gentoo-dev 2011-02-13 11:09:46 UTC
amd64 done
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2011-02-13 18:48:12 UTC
alpha/arm/ia64/m68k/s390/sh/sparc stable
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2011-02-14 20:37:03 UTC
Stable for HPPA, despite:

  ebuild.minorsyn               1
   dev-libs/libxml2/libxml2-2.7.8.ebuild: Unquoted Variable on line: 100
Comment 12 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-02-16 09:52:39 UTC
ppc/ppc64 stable, last arch done
Comment 13 Tim Sammut (RETIRED) gentoo-dev 2011-02-17 17:32:08 UTC
Thanks, everyone. GLSA request filed.
Comment 14 Sylvia 2011-06-08 20:19:48 UTC
this bug perhaps needs to be closed, fixed, in tree
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2011-10-26 20:50:52 UTC
This issue was resolved and addressed in
 GLSA 201110-26 at
by GLSA coordinator Tim Sammut (underling).
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2012-09-11 00:13:30 UTC
CVE-2010-4008 (
  libxml2 before 2.7.8, as used in Google Chrome before 7.0.517.44, Apple
  Safari 5.0.2 and earlier, and other products, reads from invalid memory
  locations during processing of malformed XPath expressions, which allows
  context-dependent attackers to cause a denial of service (application crash)
  via a crafted XML document.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2012-09-11 00:14:53 UTC
CVE-2010-4494 (
  Double free vulnerability in libxml2 2.7.8 and other versions, as used in
  Google Chrome before 8.0.552.215 and other products, allows remote attackers
  to cause a denial of service or possibly have unspecified other impact via
  vectors related to XPath handling.