904202 – (CVE-2023-28484, CVE-2023-29469) <dev-libs/libxml2-2.10.4: Multiple vulnerabilities

Bug 904202 (CVE-2023-28484, CVE-2023-29469) - <dev-libs/libxml2-2.10.4: Multiple vulnerabilities

Summary: <dev-libs/libxml2-2.10.4: Multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2023-28484, CVE-2023-29469

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:
Whiteboard:	A3 [glsa+]
Keywords:

Depends on:	905398
Blocks:
	Show dependency tree

Reported:	2023-04-12 01:40 UTC by Sam James
Modified:	2024-02-09 09:39 UTC (History)
CC List:	4 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2023-04-12 01:40:02 UTC

```
- [CVE-2023-29469] Hashing of empty dict strings isn't deterministic
- [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType
- schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK
```

Comment 1 Larry the Git Cow gentoo-dev

2023-04-12 01:50:27 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7ed861c98f8be7c243ee9fe4f32a873afcc2fb02

commit 7ed861c98f8be7c243ee9fe4f32a873afcc2fb02
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-04-12 01:49:08 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-04-12 01:49:08 +0000

    dev-libs/libxml2: add 2.10.4
    
    Bug: https://bugs.gentoo.org/904202
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/libxml2/Manifest              |   1 +
 dev-libs/libxml2/libxml2-2.10.4.ebuild | 203 +++++++++++++++++++++++++++++++++
 2 files changed, 204 insertions(+)

Comment 2 Larry the Git Cow gentoo-dev

2023-05-10 19:45:59 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ce518b754a74c9c12e20bfcf15dfe4a5f8a76071

commit ce518b754a74c9c12e20bfcf15dfe4a5f8a76071
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-05-10 19:45:34 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-05-10 19:45:34 +0000

    dev-libs/libxml2: drop 2.10.3-r1
    
    Bug: https://bugs.gentoo.org/904202
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/libxml2/Manifest                 |   1 -
 dev-libs/libxml2/libxml2-2.10.3-r1.ebuild | 203 ------------------------------
 2 files changed, 204 deletions(-)

Comment 3 Larry the Git Cow gentoo-dev

2024-02-09 09:37:31 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=e85e47ba7c520c0a553d527c33c5c297cb8ff286

commit e85e47ba7c520c0a553d527c33c5c297cb8ff286
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-02-09 09:36:36 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-02-09 09:37:22 +0000

    [ GLSA 202402-11 ] libxml2: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/904202
    Bug: https://bugs.gentoo.org/905399
    Bug: https://bugs.gentoo.org/915351
    Bug: https://bugs.gentoo.org/923806
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202402-11.xml | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)