Issue metadata
Sign in to add a comment
|
CrOS: Vulnerability reported in dev-libs/libxml2 |
||||||||||||||||||||||
Issue descriptionAutomated analysis has detected that the following third party packages have had vulnerabilities publicly reported. NOTE: There may be several bugs listed below - in almost all cases, all bugs can be quickly addressed by upgrading to the latest version of the package. Package Name: dev-libs/libxml2 Package Version: [cpe:/a:xmlsoft:libxml2:2.9.4] Advisory: CVE-2017-8872 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-8872 CVSS severity score: 6.4/10.0 Confidence: high Description: The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows attackers to cause a denial of service (buffer over-read) or information disclosure.
,
May 17 2017
,
May 24 2017
Friendly ping. Can anyone familiar with our libxml usage confirm whether this affects Chrome?
,
May 25 2017
I tried to reproduce the original report but I could not reproduce it, see b/38332615#comment7 There's no upstream fix for this. I have doubts about a proposed patch, see https://bugzilla.gnome.org/show_bug.cgi?id=775200#c6
,
Jun 6 2017
,
Jun 6 2017
,
Jun 6 2017
,
Jun 8 2017
dominicc: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 22 2017
dominicc: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 26 2017
,
Sep 6 2017
,
Sep 20 2017
dominicc: friendly ping. This bug hasn't had any activity in several months. Do you know if an upstream fix is available now? If it can't be reproduced or feasibly investigated please consider closing as WontFix. Thanks!
,
Oct 18 2017
,
Oct 26 2017
Joel, could you take a look?
,
Oct 30 2017
I'm going to close this as WontFix. I can't see that libxml has released any patch in relation to this issue, and since this issue we have rolled forward a number of times to the latest stable libxml release.
,
Feb 5 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by wfh@chromium.org
, May 16 2017Owner: dominicc@chromium.org