Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 525656 (CVE-2014-3660) - <dev-libs/libxml2-2.9.2: expansion attach (CVE-2014-3660)
Summary: <dev-libs/libxml2-2.9.2: expansion attach (CVE-2014-3660)
Status: RESOLVED FIXED
Alias: CVE-2014-3660
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-10-17 14:17 UTC by Hanno Böck
Modified: 2014-12-11 06:51 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2014-10-17 14:17:03 UTC 
The original report is not in English so I can't judge the details:
https://www.ncsc.nl/actueel/nieuwsberichten/kwetsbaarheid-ontdekt-in-libxml2.html

This is the upstream fix/commit:
https://git.gnome.org/browse/libxml2/commit/?id=be2a7edaf289c5da74a4f9ed3a0b6c733e775230
Comment 1 Pacho Ramos gentoo-dev 2014-10-18 08:24:33 UTC 
+*libxml2-2.9.2 (18 Oct 2014)
+
+  18 Oct 2014; Pacho Ramos <pacho@gentoo.org>
+  +files/libxml2-2.9.2-icu-pkgconfig.patch,
+  +files/libxml2-2.9.2-revert-missing-initialization.patch,
+  +libxml2-2.9.2.ebuild:
+  Version bump
+
Comment 2 Agostino Sarubbo gentoo-dev 2014-10-19 07:24:54 UTC 
ready for the stabilization?
Comment 3 Pacho Ramos gentoo-dev 2014-10-19 12:05:33 UTC 
I am using it since yesterday and looks ok for me (at least doesn't seem to break anything)
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-11-23 14:42:38 UTC 
(In reply to Pacho Ramos from comment #3)
> I am using it since yesterday and looks ok for me (at least doesn't seem to
> break anything)

++

amd64 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2014-11-23 21:19:59 UTC 
Should I second-guess what is to be done here?
Comment 6 Pacho Ramos gentoo-dev 2014-11-23 21:56:46 UTC 
stabilize the only version fixing this security bug
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2014-11-24 11:21:01 UTC 
Stable for HPPA.
Comment 8 Agostino Sarubbo gentoo-dev 2014-11-29 13:29:26 UTC 
ppc64 stable
Comment 9 Markus Meier gentoo-dev 2014-11-29 19:47:51 UTC 
arm stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-12-01 09:17:50 UTC 
sparc stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-12-02 11:58:13 UTC 
alpha stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-12-03 09:59:00 UTC 
ppc stable
Comment 13 Agostino Sarubbo gentoo-dev 2014-12-05 10:27:00 UTC 
x86 stable
Comment 14 Agostino Sarubbo gentoo-dev 2014-12-06 16:48:52 UTC 
ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 15 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-12-09 18:19:37 UTC 
New request added
Comment 16 Pacho Ramos gentoo-dev 2014-12-09 18:45:27 UTC 
+  09 Dec 2014; Pacho Ramos <pacho@gentoo.org>
+  -files/libxml2-2.9.0-manual-python.patch,
+  -files/libxml2-2.9.0-thread-alloc.patch,
+  -files/libxml2-2.9.1-compression-detection.patch,
+  -files/libxml2-2.9.1-external-param-entities.patch,
+  -files/libxml2-2.9.1-icu-pkgconfig.patch,
+  -files/libxml2-2.9.1-missing-break.patch,
+  -files/libxml2-2.9.1-non-ascii-cr-lf.patch,
+  -files/libxml2-2.9.1-python-2.6.patch, -files/libxml2-2.9.1-python3.patch,
+  -files/libxml2-2.9.1-python3a.patch,
+  -files/libxml2-2.9.1-xmllint-postvalid.patch, -libxml2-2.9.1-r4.ebuild,
+  -libxml2-2.9.1-r5.ebuild:
+  Cleanup due to security bug #525656
+
Comment 17 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-12-09 19:16:07 UTC 
Thank you for cleanup
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2014-12-11 06:51:28 UTC 
This issue was resolved and addressed in
 GLSA 201412-06 at http://security.gentoo.org/glsa/glsa-201412-06.xml
by GLSA coordinator Sergey Popov (pinkbyte).