Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 417351 (CVE-2012-2921) - <dev-python/feedparser-5.1.2 DOCTYPE and ENTITY XML Declaration Denial of Service (CVE-2012-2921)
Summary: <dev-python/feedparser-5.1.2 DOCTYPE and ENTITY XML Declaration Denial of Ser...
Status: RESOLVED FIXED
Alias: CVE-2012-2921
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/49254/
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-05-24 08:04 UTC by Michael Harrison
Modified: 2012-06-11 20:03 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Harrison 2012-05-24 08:04:07 UTC 
An error when handling DOCTYPE and ENTITY XML declarations can be exploited to cause a high memory resource consumption via a non-ASCII-compatible encoded document.

The vulnerability is reported in versions prior to 5.1.2.

Solution
Update to version 5.1.2

Original Advisory
http://freecode.com/projects/feedparser/releases/344371
https://code.google.com/p/feedparser/source/detail?r=703&path=/trunk/feedparser/feedparser.py
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2012-05-24 18:54:18 UTC 
@python, ok to stabilize =dev-python/feedparser-5.1.2?
Comment 2 Mike Gilbert gentoo-dev 2012-05-24 19:48:05 UTC 
(In reply to comment #1)

Looks good to me.
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2012-05-24 19:50:44 UTC 
Great, thank you.

Arches, please test and mark stable:
=dev-python/feedparser-5.1.2
Target keywords : "alpha amd64 ia64 ppc ppc64 sparc x86"
Comment 4 Agostino Sarubbo gentoo-dev 2012-05-25 08:58:10 UTC 
amd64 stable
Comment 5 Raúl Porcel (RETIRED) gentoo-dev 2012-05-26 17:15:50 UTC 
alpha/ia64/sparc/x86 stable
Comment 6 Brent Baude (RETIRED) gentoo-dev 2012-06-06 14:07:19 UTC 
ppc64 done
Comment 7 Brent Baude (RETIRED) gentoo-dev 2012-06-08 18:09:14 UTC 
ppc done
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2012-06-10 15:32:13 UTC 
Thanks, folks. GLSA Vote: no.
Comment 9 Sean Amoss (RETIRED) gentoo-dev Security 2012-06-11 20:03:41 UTC 
GLSA vote: no.

Closing noglsa.