Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 405261 (CVE-2012-0841) - <dev-libs/libxml2-2.7.8-r5: hash table collisions CPU usage DoS (CVE-2012-0841)
Summary: <dev-libs/libxml2-2.7.8-r5: hash table collisions CPU usage DoS (CVE-2012-0841)
Status: RESOLVED FIXED
Alias: CVE-2012-0841
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks: hashDoS
  Show dependency tree
 
Reported: 2012-02-22 11:30 UTC by Michael Harrison
Modified: 2012-03-06 01:33 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Harrison 2012-02-22 11:30:02 UTC
It was found that the hashing routine used by libxml2 arrays was
susceptible to predictable hash collisions. Sending a specially-crafted
message to an XML service could result in longer processing time, which
could lead to a denial of service.

Advisory Info:
https://rhn.redhat.com/errata/RHSA-2012-0324.html

Upstream Commit:
http://git.gnome.org/browse/libxml2/commit/?id=8973d58b7498fa5100a876815476b81fd1a2412a
Comment 1 Alexandre Rostovtsev (RETIRED) gentoo-dev 2012-02-23 01:01:10 UTC
Fixed in 2.7.8-r5, thanks for reporting.

>*libxml2-2.7.8-r5 (23 Feb 2012)
>
>  23 Feb 2012; Alexandre Rostovtsev <tetromino@gentoo.org>
>  -libxml2-2.7.8-r1.ebuild, -libxml2-2.7.8-r2.ebuild, -libxml2-2.7.8-r3.ebuild,
>  +libxml2-2.7.8-r5.ebuild, +files/libxml2-2.7.8-hash-randomization.patch:
>  Add hashing randomization to prevent DoS vulnerability (CVE-2012-0841, bug
>  #405261, thanks to Michael Harrison for reporting). Drop old.
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2012-02-23 02:28:08 UTC
(In reply to comment #1)
> Fixed in 2.7.8-r5, thanks for reporting.
> 

Thank you.

Arches, please test and mark stable:
=dev-libs/libxml2-2.7.8-r5
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2012-02-23 04:48:24 UTC
Stable for HPPA.
Comment 4 Agostino Sarubbo gentoo-dev 2012-02-23 12:56:29 UTC
amd64 stable
Comment 5 Brent Baude (RETIRED) gentoo-dev 2012-02-28 20:21:05 UTC
ppc done
Comment 6 Dan Dexter 2012-02-29 00:32:10 UTC
Archtested on x86: Everything OK.
Compiles without issue, RDEPS successfully linked to libxml2 and tested xml functionality of a few applications.
Comment 7 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-02-29 21:55:44 UTC
x86 stable, thanks Dan
Comment 8 Tobias Klausmann gentoo-dev 2012-03-02 13:43:34 UTC
Stable on alpha.
Comment 9 Brent Baude (RETIRED) gentoo-dev 2012-03-03 14:33:40 UTC
ppc64 done
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2012-03-03 19:51:38 UTC
arm/ia64/m68k/s390/sh/sparc stable
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2012-03-03 20:11:15 UTC
Thanks, folks. GLSA Vote: yes.
Comment 12 Sean Amoss (RETIRED) gentoo-dev Security 2012-03-04 20:55:48 UTC
Vote: yes. GLSA request filed.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2012-03-06 01:33:38 UTC
This issue was resolved and addressed in
 GLSA 201203-04 at http://security.gentoo.org/glsa/glsa-201203-04.xml
by GLSA coordinator Sean Amoss (ackle).