New issue
Advanced search Search tips

Issue 792851 link

Starred by 1 user
Status: Fixed
Owner:
mnissler@chromium.org
Closed: Dec 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug-Security



Sign in to add a comment

CrOS: Vulnerability reported in dev-libs/libxml2

Project Member Reported by vomit.go...@appspot.gserviceaccount.com, Dec 7 2017 
Automated analysis has detected that the following third party packages have had vulnerabilities publicly reported. 

NOTE: There may be several bugs listed below - in almost all cases, all bugs can be quickly addressed by upgrading to the latest version of the package.

Package Name: dev-libs/libxml2
Package Version: [cpe:/a:xmlsoft:libxml2:2.9.4]

Advisory: CVE-2017-16931
  Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-16931
  CVSS severity score: 7.5/10.0
  Confidence: high
  Description:

parser.c in libxml2 before 2.9.5 mishandles parameter-entity references because the NEXTL macro calls the xmlParserHandlePEReference function in the case of a '%' character in a DTD name.
Advisory: CVE-2017-16932
  Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-16932
  CVSS severity score: 5/10.0
  Confidence: high
  Description:

parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities.

Comment 1 by mnissler@chromium.org, Dec 11 2017

Components: OS>Packages
Labels: -ComponentOSKernel Security_Impact-Stable Security_Severity-Medium
Owner: mnissler@chromium.org
Status: Started (was: Untriaged)
I'll uprev to 2.9.6, which is available in portage. 2.9.7 was released on Nov 2, but it apparently doesn't contain any security fixes and isn't available in portage anyways.

Packages depending on libxml2 aren't many and those that are probably don't make these bugs accessible to an attacker. The one exception is Chrome of course, and it's hard to say whether the bugs are accessible from web content without doing a deep dive.

Setting severity medium for now.

Comment 3 by jorgelo@chromium.org, Dec 11 2017 

It doesn't look like Vomit has reported this on the Chrome side.
Project Member

Comment 4 by sheriffbot@chromium.org, Dec 13 2017

Labels: M-63
Project Member

Comment 5 by bugdroid1@chromium.org, Dec 20 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/portage-stable/+/ea79d87ae5bf582a45ebba7815e62719d27da5f8

commit ea79d87ae5bf582a45ebba7815e62719d27da5f8
Author: Mattias Nissler <mnissler@chromium.org>
Date: Wed Dec 20 18:14:47 2017

dev-libs/libxml2: uprev to version 2.9.6

BUG= chromium:792851 
TEST=Builds and passes tests

Change-Id: Ia819caaa722310613a182cebaf92b506d15750b7
Reviewed-on: https://chromium-review.googlesource.com/819650
Commit-Ready: Mattias Nissler <mnissler@chromium.org>
Tested-by: Mattias Nissler <mnissler@chromium.org>
Reviewed-by: Mattias Nissler <mnissler@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/ea79d87ae5bf582a45ebba7815e62719d27da5f8/dev-libs/libxml2/Manifest
[rename] https://crrev.com/ea79d87ae5bf582a45ebba7815e62719d27da5f8/dev-libs/libxml2/libxml2-2.9.6.ebuild

Comment 6 by mnissler@chromium.org, Dec 20 2017

Status: Fixed (was: Started)
Project Member

Comment 7 by sheriffbot@chromium.org, Dec 21 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 8 by sheriffbot@chromium.org, Mar 27 2018

Labels: -M-63 M-65
Project Member

Comment 9 by sheriffbot@chromium.org, Mar 29 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment