Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 583888 (CVE-2016-1836, CVE-2016-1838, CVE-2016-1839, CVE-2016-1840) - <dev-libs/libxml2-2.9.4: multiple vulnerabilities
Summary: <dev-libs/libxml2-2.9.4: multiple vulnerabilities
Alias: CVE-2016-1836, CVE-2016-1838, CVE-2016-1839, CVE-2016-1840
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa cve]
Depends on:
Reported: 2016-05-23 14:52 UTC by Agostino Sarubbo
Modified: 2017-01-16 21:26 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-05-23 14:52:08 UTC
From ${URL} :

More format string warnings with possible format string vulnerability (David Kilzer),
Avoid building recursive entities (Daniel Veillard),
Heap-based buffer overread in htmlCurrentChar (Pranjal Jumde),
Heap-based buffer-underreads due to xmlParseName (David Kilzer),
Heap use-after-free in xmlSAX2AttributeNs (Pranjal Jumde),
Heap use-after-free in htmlParsePubidLiteral and htmlParseSystemiteral (Pranjal Jumde),
Fix some format string warnings with possible format string vulnerability (David Kilzer),
Detect change of encoding when parsing HTML names (Hugh Davenport),
Fix inappropriate fetch of entities content (Daniel Veillard),
Bug 759398: Heap use-after-free in xmlDictComputeFastKey <> (Pranjal Jumde),
Bug 758605: Heap-based buffer overread in xmlDictAddString <> (Pranjal Jumde),
Bug 758588: Heap-based buffer overread in xmlParserPrintFileContextInternal <> (David Kilzer),
Bug 757711: heap-buffer-overflow in xmlFAParsePosCharGroup <> (Pranjal Jumde),
Add missing increments of recursion depth counter to XML parser. (Peter Simons)

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann gentoo-dev Security 2016-11-19 00:42:52 UTC
Bug is CVE-2016-1836.

Bug is CVE-2016-1839 handled by bug 573820.

Bug is CVE-2016-1838.

Bug is CVE-2016-1840.

Each vulnerability was fixed by v2.9.4.

v2.9.4 landed in Gentoo repository via

@ Security: Please vote!
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2017-01-16 21:26:16 UTC
This issue was resolved and addressed in
 GLSA 201701-37 at
by GLSA coordinator Thomas Deutschmann (whissi).