877149 – (CVE-2022-40303, CVE-2022-40304) <dev-libs/libxml2-2.10.3: Multiple vulnerabilities

Bug 877149 (CVE-2022-40303, CVE-2022-40304) - <dev-libs/libxml2-2.10.3: Multiple vulnerabilities

Summary: <dev-libs/libxml2-2.10.3: Multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2022-40303, CVE-2022-40304

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	A2 [glsa+]
Keywords:

Depends on:	878569
Blocks:
	Show dependency tree

Reported:	2022-10-14 18:44 UTC by Sam James
Modified:	2022-11-01 21:36 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2022-10-14 18:44:37 UTC

From 2.10.3 release notes:

+v2.10.3: Oct 14 2022
+
+### Security
+
+- [CVE-2022-40304] Fix dict corruption caused by entity reference cycles
+- [CVE-2022-40303] Fix integer overflows with XML_PARSE_HUGE
+- Fix overflow check in SAX2.c

Comment 1 Larry the Git Cow gentoo-dev

2022-10-14 19:04:57 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=337cb12f6ac4729d216e81eda3552012ad065b87

commit 337cb12f6ac4729d216e81eda3552012ad065b87
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-10-14 18:50:03 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-10-14 19:04:09 +0000

    dev-libs/libxml2: add 2.10.3
    
    Bug: https://bugs.gentoo.org/877149
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/libxml2/Manifest              |   1 +
 dev-libs/libxml2/libxml2-2.10.3.ebuild | 194 +++++++++++++++++++++++++++++++++
 2 files changed, 195 insertions(+)

Comment 2 John Helmert III archtester

2022-10-31 14:46:39 UTC

GLSA request filed

Comment 3 Larry the Git Cow gentoo-dev

2022-10-31 20:26:24 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=afe57ff3aad6191b756c24affca2cbef0b388d21

commit afe57ff3aad6191b756c24affca2cbef0b388d21
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-31 20:24:32 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-31 20:25:51 +0000

    [ GLSA 202210-39 ] libxml2: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/877149
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-39.xml | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)

Comment 4 Larry the Git Cow gentoo-dev

2022-11-01 21:35:11 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e07628f6e8bffb7e8f154e6610e0f5d0393a901f

commit e07628f6e8bffb7e8f154e6610e0f5d0393a901f
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-11-01 21:02:08 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-11-01 21:12:15 +0000

    dev-libs/libxml2: drop 2.10.2
    
    Bug: https://bugs.gentoo.org/877149
    Bug: https://bugs.gentoo.org/878269
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 dev-libs/libxml2/Manifest              |   1 -
 dev-libs/libxml2/libxml2-2.10.2.ebuild | 194 ---------------------------------
 2 files changed, 195 deletions(-)

Comment 5 John Helmert III archtester

2022-11-01 21:36:05 UTC

Cleanup done, all done!