Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 546720 (CVE-2015-1819) - <dev-libs/libxml2-2.9.2-r1: denial of service processing a crafted XML document (CVE-2015-1819)
Summary: <dev-libs/libxml2-2.9.2-r1: denial of service processing a crafted XML docume...
Status: RESOLVED FIXED
Alias: CVE-2015-1819
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A3 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-04-16 07:14 UTC by Agostino Sarubbo
Modified: 2015-07-07 07:23 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-04-16 07:14:44 UTC
From ${URL} :

Florian Weimer from Red Hat reported an issue against libxml2, where a parser which uses libxml2 
chokes on a crafted XML document, allocating gigabytes of data.
This is a fine line between API misuse and an libxml2 bug.
Daniel Veillard have a fix for this issue already.

Patch:
https://git.gnome.org/browse/libxml2/commit/?id=213f1fe0d76d30eaed6e5853057defc43e6df2c9


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Alexandre Rostovtsev (RETIRED) gentoo-dev 2015-04-19 16:09:28 UTC
Thanks, fixed:

+*libxml2-2.9.2-r1 (19 Apr 2015)
+
+  19 Apr 2015; Alexandre Rostovtsev <tetromino@gentoo.org>
+  +libxml2-2.9.2-r1.ebuild, +files/libxml2-2.9.2-constant-memory.patch,
+  +files/libxml2-2.9.2-missing-entities.patch,
+  +files/libxml2-2.9.2-threads-declarations.patch,
+  +files/libxml2-2.9.2-timsort.patch:
+  Add important patches from upstream, including a fix for a DoS vulnerability
+  (CVE-2015-1819, bug #546720, thanks to Agostino Sarubbo).

=dev-libs/libxml2-2.9.2-r1 needs to be stabilized.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2015-04-19 16:18:48 UTC
Arches, please test and mark stable:

=dev-libs/libxml2-2.9.2-r1

Target Keywords : "alpha amd64 arm hppa ia64 ppc ppc64 spark x86"

Thank you!
Comment 3 Agostino Sarubbo gentoo-dev 2015-04-20 09:04:05 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2015-04-20 09:04:19 UTC
x86 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2015-04-21 04:37:45 UTC
Stable for HPPA.
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2015-04-21 17:42:35 UTC
Stable for PPC64.
Comment 7 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-04-24 21:48:56 UTC
sparc stable
Comment 8 Pacho Ramos gentoo-dev 2015-04-26 16:59:41 UTC
ppc stable
Comment 9 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-04-26 19:27:36 UTC
ia64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-04-28 07:30:54 UTC
alpha stable
Comment 11 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-05-27 12:26:19 UTC
arm stable
Comment 12 Alexandre Rostovtsev (RETIRED) gentoo-dev 2015-05-27 13:40:02 UTC
Vulnerable versions have been removed.

+  27 May 2015; Alexandre Rostovtsev <tetromino@gentoo.org>
+  -libxml2-2.9.2.ebuild:
+  Clean up vulnerable versions.
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2015-05-28 21:01:05 UTC
Arches and Maintainer(s), Thank you for your work.

GLSA Vote: No
Comment 14 Tobias Heinlein (RETIRED) gentoo-dev 2015-06-30 22:35:27 UTC
I would vote YES, but A3 should go straight to glsamaker anyway. Request filed.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2015-07-07 07:23:20 UTC
This issue was resolved and addressed in
 GLSA 201507-08 at https://security.gentoo.org/glsa/201507-08
by GLSA coordinator Mikle Kolyada (Zlogene).