833809 – (CVE-2022-23308) <dev-libs/libxml2-2.9.13: multiple vulnerabilities

Bug 833809 (CVE-2022-23308) - <dev-libs/libxml2-2.9.13: multiple vulnerabilities

Summary: <dev-libs/libxml2-2.9.13: multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2022-23308

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://gitlab.gnome.org/GNOME/libxml...
Whiteboard:	A3 [glsa+]
Keywords:

Depends on:	834458
Blocks:
	Show dependency tree

Reported:	2022-02-20 20:43 UTC by John Helmert III
Modified:	2022-10-16 14:55 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-02-20 20:43:53 UTC

From URL:

"Security:
  [CVE-2022-23308] Use-after-free of ID and IDREF attributes
  (Thanks to Shinji Sato for the report)
  Use-after-free in xmlXIncludeCopyRange (David Kilzer)
  Fix Null-deref-in-xmlSchemaGetComponentTargetNs (huangduirong)
  Fix memory leak in xmlXPathCompNodeTest
  Fix null pointer deref in xmlStringGetNodeList
  Fix several memory leaks found by Coverity (David King)"

Comment 1 Larry the Git Cow gentoo-dev

2022-02-21 01:13:35 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2c38911533cea511c6c5a318e517da7d6df96ecb

commit 2c38911533cea511c6c5a318e517da7d6df96ecb
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-02-21 01:10:59 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-02-21 01:10:59 +0000

    dev-libs/libxml2: add 2.9.13
    
    Bug: https://bugs.gentoo.org/833809
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/libxml2/Manifest              |   1 +
 dev-libs/libxml2/libxml2-2.9.13.ebuild | 240 +++++++++++++++++++++++++++++++++
 2 files changed, 241 insertions(+)

Comment 2 Larry the Git Cow gentoo-dev

2022-02-21 02:00:47 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ac5e34e355b38781725f213dc32976bc0467b16b

commit ac5e34e355b38781725f213dc32976bc0467b16b
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-02-21 01:59:57 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-02-21 02:00:27 +0000

    dev-libs/libxml2: restore LDFLAGS patch; drop unnecessary test patch
    
    Bug: https://bugs.gentoo.org/833809
    Signed-off-by: Sam James <sam@gentoo.org>

 .../libxml2/{libxml2-2.9.13.ebuild => libxml2-2.9.13-r1.ebuild}     | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

Comment 3 John Helmert III archtester

2022-10-14 03:32:12 UTC

GLSA request filed

Comment 4 Larry the Git Cow gentoo-dev

2022-10-16 14:46:11 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=adf5474fd11ba8a07548c5e37fac5e66db57a112

commit adf5474fd11ba8a07548c5e37fac5e66db57a112
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-16 14:40:08 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-16 14:45:20 +0000

    [ GLSA 202210-03 ] libxml2: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/833809
    Bug: https://bugs.gentoo.org/842261
    Bug: https://bugs.gentoo.org/865727
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-03.xml | 45 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)

Comment 5 John Helmert III archtester

2022-10-16 14:55:08 UTC

GLSA released, all done!