Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 638680 (CVE-2017-16931, CVE-2017-16932) - <dev-libs/libxml2-2.9.6: Multiple vulnerabilities
Summary: <dev-libs/libxml2-2.9.6: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-16931, CVE-2017-16932
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://xmlsoft.org/news.html
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-11-24 12:54 UTC by GLSAMaker/CVETool Bot
Modified: 2018-01-17 14:09 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2017-11-24 12:54:51 UTC
CVE-2017-16932 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-16932):
  parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in
  parameter entities.

CVE-2017-16931 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-16931):
  parser.c in libxml2 before 2.9.5 mishandles parameter-entity references
  because the NEXTL macro calls the xmlParserHandlePEReference function in the
  case of a '%' character in a DTD name.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-24 12:56:06 UTC
@Maintainers libxml2-2.9.6 is already stable on some arches, please confirm if we can stabilize it and clean previous versions.

Thank you
Comment 2 Gilles Dartiguelongue gentoo-dev 2018-01-16 07:38:39 UTC
2.9.6 is ok to go stable for remaining arches.
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-01-17 14:09:46 UTC
GLSA Vote: No

Cleanup will be tracked in bug #644574