Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 386985 (CVE-2011-2821) - <dev-libs/libxml2-2.7.8-r3: Double free vulnerabilities (CVE-2011-{2821,2834})
Summary: <dev-libs/libxml2-2.7.8-r3: Double free vulnerabilities (CVE-2011-{2821,2834})
Status: RESOLVED FIXED
Alias: CVE-2011-2821
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://git.gnome.org/browse/libxml2/c...
Whiteboard: A2 [glsa]
Keywords:
Depends on: 385699
Blocks:
  Show dependency tree
 
Reported: 2011-10-12 21:40 UTC by Michael Harrison
Modified: 2012-09-11 00:42 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Harrison 2011-10-12 21:40:37 UTC
Double free vulnerabilities in libxml2 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted XPath expression and via vectors related to XPath handling

Commits as fixing the issue:

(CVE-2011-2821)  
http://git.gnome.org/browse/libxml2/commit/?id=f5048b3e71fc30ad096970b8df6e7af073bae4cb

(CVE-2011-2834)
https://src.chromium.org/viewvc/chrome/trunk/src/third_party/libxml/src/xpath.c?r1=98359&r2=98358&pathrev=98359


Reproducible: Always
Comment 2 Pacho Ramos gentoo-dev 2011-10-15 22:11:43 UTC
+*libxml2-2.7.8-r3 (15 Oct 2011)
+
+  15 Oct 2011; Pacho Ramos <pacho@gentoo.org> -libxml2-2.7.8.ebuild,
+  +libxml2-2.7.8-r3.ebuild, +files/libxml2-2.7.8-error-xpath.patch,
+  +files/libxml2-2.7.8-hardening-xpath.patch:
+  Fix CVE-2011-{2821,2834}, bug #386985, thanks to Michael Harrison and Tim
+  Sammut. Remove old.
+
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2011-10-15 23:48:28 UTC
(In reply to comment #2)
> +*libxml2-2.7.8-r3 (15 Oct 2011)
> +

Awesome, thank you, Pacho.

Arches, please test and mark stable:
=dev-libs/libxml2-2.7.8-r3
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 4 Pacho Ramos gentoo-dev 2011-10-16 00:06:29 UTC
Better use bug 385699 for other arches than amd64 to prevent them from needing to stabilize an older version
Comment 5 Agostino Sarubbo gentoo-dev 2011-10-16 09:10:17 UTC
@gnome,

minor warning:
dev-libs/libxml2/libxml2-2.7.8-r3.ebuild: Unquoted Variable on line: 112

amd64 ok.
Comment 6 Pacho Ramos gentoo-dev 2011-10-16 09:34:11 UTC
Why is this depending on bug 387281? Is it caused by libxml update?

Regarding unquoted variables, it's due prefix stuff, if I don't misremember, it's a false positive, but better ask to prefix team for that.
Comment 7 Agostino Sarubbo gentoo-dev 2011-10-16 09:40:40 UTC
(In reply to comment #6)
> Why is this depending on bug 387281? Is it caused by libxml update?

Sorry, my bad, wrong bug =)


> Regarding unquoted variables, it's due prefix stuff, if I don't misremember,
> it's a false positive, but better ask to prefix team for that.

grep PREFIX /usr/portage/dev-libs/libxml2/* contains your response :p
Comment 8 Pacho Ramos gentoo-dev 2011-10-16 09:59:16 UTC
(In reply to comment #7)
> (In reply to comment #6)
> > Regarding unquoted variables, it's due prefix stuff, if I don't misremember,
> > it's a false positive, but better ask to prefix team for that.
> 
> grep PREFIX /usr/portage/dev-libs/libxml2/* contains your response :p

I was talking about asking for the reasons of not adding quotes when some prefix team members add prefix support ;)
Comment 9 Ian Delaney (RETIRED) gentoo-dev 2011-10-16 11:57:03 UTC
amd64: 

emerge fine, rdeps emerge fine,

all aok
Comment 10 Tony Vroon (RETIRED) gentoo-dev 2011-10-20 13:09:58 UTC
+  20 Oct 2011; Tony Vroon <chainsaw@gentoo.org> libxml2-2.7.8-r3.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian
+  "idella4" Delaney in security bug #386985.
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2011-10-20 15:54:08 UTC
Thanks, folks. Added to existing GLSA request.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2011-10-26 20:51:02 UTC
This issue was resolved and addressed in
 GLSA 201110-26 at http://security.gentoo.org/glsa/glsa-201110-26.xml
by GLSA coordinator Tim Sammut (underling).
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2012-09-11 00:42:32 UTC
CVE-2011-2821 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2821):
  Double free vulnerability in libxml2, as used in Google Chrome before
  13.0.782.215, allows remote attackers to cause a denial of service or
  possibly have unspecified other impact via a crafted XPath expression.