There are not many details, but the upstream patch is
Off-by-one error in libxml2, as used in Google Chrome before 19.0.1084.46,
allows remote attackers to cause a denial of service (out-of-bounds write)
or possibly have unspecified other impact via unknown vectors.
Fixed in libxml2-2.8.0_rc1 (the libxml2 upstream is finally on its way to making a new release)
>*libxml2-2.8.0_rc1 (21 May 2012)
> 21 May 2012; Alexandre Rostovtsev <email@example.com>
> -libxml2-2.7.8-r4.ebuild, +libxml2-2.8.0_rc1.ebuild,
> Version bump with numerous bugfixes, including for bug #416209 (out-of-bounds
> write, CVE-2011-3102, thanks to Paweł Hajdan, Jr.). Drop old.
Thanks. Just to make sure since this isn't a full release, are we moving to stabilize libxml2-2.8.0_rc1 now?
(In reply to comment #3)
> Thanks. Just to make sure since this isn't a full release, are we moving to
> stabilize libxml2-2.8.0_rc1 now?
It would be my recommendation. The git changelog between 2.7.8 and 2.8.0-rc1 basically consists of fixes for various parser errors, crashes, infinite loops, memory leaks, and security holes; the only new features are support for lzma compression and <meta charset>.
Ok, thanks; then on we go. ;)
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Stable for HPPA.
libxml2-2.8.0-rc1.tar.gz is no longer available at ftp://xmlsoft.org/libxml2/
pls update to rc2
(In reply to comment #10)
Fixed, thanks for noticing!
>*libxml2-2.8.0 (25 May 2012)
> 25 May 2012; Alexandre Rostovtsev <firstname.lastname@example.org>
> libxml2-2.8.0_rc1.ebuild, +libxml2-2.8.0.ebuild:
> Version bump to 2.8.0 final. Point rc1's SRC_URI at Gentoo mirrors since the
> rc1 tarball is no longer available from upstream (bug #416209 comment #10)..
Thanks, folks. GLSA request filed.
This issue was resolved and addressed in
GLSA 201207-02 at http://security.gentoo.org/glsa/glsa-201207-02.xml
by GLSA coordinator Sean Amoss (ackle).