Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 398361 (CVE-2011-3919) - <dev-libs/libxml2-2.7.8-r4: Heap-based buffer overflow when decoding an entity reference with a long name (CVE-2011-3919)
Summary: <dev-libs/libxml2-2.7.8-r4: Heap-based buffer overflow when decoding an entit...
Alias: CVE-2011-3919
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
Depends on:
Reported: 2012-01-10 11:01 UTC by Agostino Sarubbo
Modified: 2012-02-29 20:12 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-01-10 11:01:04 UTC
From redhat bugzilla at $URL:

A heap-based buffer overflow was found in the way libxml2 decoded an entity
reference with a long name. A remote attacker could provide a specially-crafted
XML file, which once opened in an application linked against libxml would cause
that application to crash, or, potentially, execute arbitrary code with the
privileges of the user running the application.

Comment 1 Alexandre Rostovtsev (RETIRED) gentoo-dev 2012-01-10 20:30:30 UTC
Fixed in libxml2-2.7.8-r4, thanks for reporting!

>*libxml2-2.7.8-r4 (10 Jan 2012)
>  10 Jan 2012; Alexandre Rostovtsev <>
>  +libxml2-2.7.8-r4.ebuild,
>  +files/libxml2-2.7.8-allocation-error-copying-entities.patch:
>  Fix heap-based overflow in parsing long entity references (CVE-2011-3919, bug
>  #398361, thanks to Agostino Sarubbo for reporting).
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2012-01-10 21:03:05 UTC
(In reply to comment #1)
> Fixed in libxml2-2.7.8-r4, thanks for reporting!

Great, thank you.

Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2012-01-10 23:27:16 UTC
amd64 stable
Comment 4 Mark Loeser (RETIRED) gentoo-dev 2012-01-11 18:25:33 UTC
ppc/ppc64 done
Comment 5 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-01-12 17:29:37 UTC
x86 stable
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2012-01-14 18:05:22 UTC
alpha/arm/ia64/m68k/s390/sh/sparc stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2012-01-16 03:00:01 UTC
Stable for HPPA.
Comment 8 Agostino Sarubbo gentoo-dev 2012-01-16 09:35:04 UTC
Filed new request in glsamaker.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2012-02-21 03:58:23 UTC
CVE-2011-3919 (
  Heap-based buffer overflow in libxml2, as used in Google Chrome before
  16.0.912.75, allows remote attackers to cause a denial of service or
  possibly have unspecified other impact via unknown vectors.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2012-02-29 20:12:08 UTC
This issue was resolved and addressed in
 GLSA 201202-09 at
by GLSA coordinator Sean Amoss (ackle).