938894 – (CVE-2024-45490, CVE-2024-45491, CVE-2024-45492) <dev-libs/expat-2.6.3: multiple vulnerabilities

Bug 938894 (CVE-2024-45490, CVE-2024-45491, CVE-2024-45492) - <dev-libs/expat-2.6.3: multiple vulnerabilities

Summary: <dev-libs/expat-2.6.3: multiple vulnerabilities

Status:	IN_PROGRESS

Alias:	CVE-2024-45490, CVE-2024-45491, CVE-2024-45492

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	A3 [stable]
Keywords:

Depends on:	924601 939074 930032
Blocks:
	Show dependency tree

Reported:	2024-09-01 20:28 UTC by Sebastian Pipping
Modified:	2024-09-09 05:53 UTC (History)
CC List:	2 users (show)

See Also:	https://github.com/libexpat/libexpat/pull/890 https://github.com/libexpat/libexpat/pull/891 https://github.com/libexpat/libexpat/pull/892 https://github.com/libexpat/libexpat/pull/896
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sebastian Pipping gentoo-dev

2024-09-01 20:28:07 UTC

Upstream release 2.6.3 with the fixes coming up…

Comment 1 Larry the Git Cow gentoo-dev

2024-09-04 11:30:43 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c4c60d4f7b4cf41d158e8df07ccf9b4641ba8b16

commit c4c60d4f7b4cf41d158e8df07ccf9b4641ba8b16
Author:     Sebastian Pipping <sping@gentoo.org>
AuthorDate: 2024-09-04 11:26:38 +0000
Commit:     Sebastian Pipping <sping@gentoo.org>
CommitDate: 2024-09-04 11:29:27 +0000

    dev-libs/expat: 2.6.3 with security fixes
    
    Bug: https://bugs.gentoo.org/938894
    Signed-off-by: Sebastian Pipping <sping@gentoo.org>

 dev-libs/expat/Manifest           |   1 +
 dev-libs/expat/expat-2.6.3.ebuild | 100 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 101 insertions(+)

Comment 2 Sebastian Pipping gentoo-dev

2024-09-04 15:20:15 UTC

Regarding stabilization:
- We won't be able to wipe dev-libs/expat-2.5.0 from the tree
  before bug #924601 and bug #930032 are fixed
- We can still stabilize 2.6.3 though, I see no conflict in that
- I have created bug #939074 dedicated to stabilization of 2.6.3 just now

Comment 3 Hans de Graaff gentoo-dev

2024-09-05 06:08:00 UTC

(In reply to Sebastian Pipping from comment #2)
> Regarding stabilization:
> - We won't be able to wipe dev-libs/expat-2.5.0 from the tree
>   before bug #924601 and bug #930032 are fixed
> - We can still stabilize 2.6.3 though, I see no conflict in that
> - I have created bug #939074 dedicated to stabilization of 2.6.3 just now

Sounds good, with this approach we can get a fixed version in the hands of most people. Waiting for cleanup will also not block issuing a GLSA if needed.

Comment 4 Filip Kobierski 2024-09-08 18:54:14 UTC

Whould versions 2.6.[012] be also dropped? If so then I can make a PR.

Comment 5 Sam James archtester

2024-09-08 18:56:18 UTC

(In reply to Filip Kobierski from comment #4)
> Whould versions 2.6.[012] be also dropped? If so then I can make a PR.

Just leave it to the maintainer.