Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 543930 (CVE-2015-0252) - <dev-libs/xerces-c-3.1.2: XML Parser Crashes on Malformed Input (CVE-2015-0252)
Summary: <dev-libs/xerces-c-3.1.2: XML Parser Crashes on Malformed Input (CVE-2015-0252)
Status: RESOLVED FIXED
Alias: CVE-2015-0252
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-03-20 16:13 UTC by Agostino Sarubbo
Modified: 2015-07-16 17:41 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-03-20 16:13:32 UTC
From ${URL} :

CVE-2015-0252: Apache Xerces-C XML Parser Crashes on Malformed Input

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: Apache Xerces-C XML Parser library versions
prior to V3.1.2

Description: The Xerces-C XML parser mishandles certain kinds of
malformed input documents, resulting in a segmentation fault during
a parse operation. The bug does not appear to allow for remote code
execution, but is a denial of service attack that in many applications
may allow for an unauthenticated attacker to supply malformed input
and cause a crash.

Mitigation: Applications that are using library versions older than
V3.1.2 should upgrade as soon as possible. Distributors of older versions
should apply the patches from this subversion revision:

http://svn.apache.org/viewvc?view=revision&revision=1667870

Credit: This issue was reported independently by Anton Rager and Jonathan
Brossard from the Salesforce.com Product Security Team and by Ben Laurie
of Google.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2015-03-28 17:14:50 UTC
CVE-2015-0252 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0252):
  internal/XMLReader.cpp in Apache Xerces-C before 3.1.2 allows remote
  attackers to cause a denial of service (segmentation fault and crash) via
  crafted XML data.
Comment 2 Sergey Popov gentoo-dev 2015-05-26 09:17:47 UTC
+*xerces-c-3.1.2 (26 May 2015)
+
+  26 May 2015; Sergey Popov <pinkbyte@gentoo.org> +xerces-c-3.1.2.ebuild:
+  Security bump, wrt bug #543930. Bump EAPI to 5, add epatch_user, add subslot
+  to dev-libs/icu dependency, wrt bug #522670

Arches, please test and mark stable =dev-libs/xerces-c-3.1.2

Target keywords: alpha amd64 hppa ppc ppc64 sparc x86
Comment 3 Agostino Sarubbo gentoo-dev 2015-05-27 10:46:44 UTC
amd64 stable
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2015-05-28 05:00:20 UTC
Stable for HPPA PPC64.
Comment 5 Jack Morgan (RETIRED) gentoo-dev 2015-06-02 05:21:35 UTC
sparc stable
Comment 6 Sergey Popov gentoo-dev 2015-06-03 02:02:57 UTC
ppc/x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2015-07-03 08:33:43 UTC
alpha stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 8 Yury German Gentoo Infrastructure gentoo-dev 2015-07-06 04:59:16 UTC
Arches and Maintainer(s), Thank you for your work.

Maintainer(s), please drop the vulnerable version(s).
Remove version: 3.1.1-r1

GLSA Vote: No
Comment 9 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-07-16 14:46:38 UTC
GLSA Vote: No
Comment 10 Sergey Popov gentoo-dev 2015-07-16 17:41:37 UTC
Cleanup is done