Debian Bug report logs - #715531
libxml2: CVE-2013-2877

version graph

Package: libxml2; Maintainer for libxml2 is Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>; Source for libxml2 is src:libxml2.

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Wed, 10 Jul 2013 06:51:02 UTC

Severity: grave

Tags: security

Found in version libxml2/2.7.8.dfsg-2

Fixed in versions libxml2/2.9.1+dfsg1-1, 2.9.1+dfsg1-1

Done: Michael Gilbert <mgilbert@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#715531; Package libxml2. (Wed, 10 Jul 2013 06:51:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>. (Wed, 10 Jul 2013 06:51:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libxml2: CVE-2013-2877
Date: Wed, 10 Jul 2013 08:42:46 +0200
Package: libxml2
Severity: grave
Tags: security
Justification: user security hole

http://googlechromereleases.blogspot.de/2013/07/stable-channel-update.html includes:

[229019] Low CVE-2013-2877: Out-of-bounds read in XML parsing. Credit to Aki Helin of OUSPG.

The commit in Chromium is 
http://git.chromium.org/gitweb/?p=chromium.git;a=commit;h=e5d7f7e5dc21d3ae7be3cbb949ac4d8701e06de1

The upstream commit in libxml2 is:
https://git.gnome.org/browse/libxml2/commit/parser.c?id=e50ba8164eee06461c73cd8abb9b46aa0be81869

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#715531; Package libxml2. (Sun, 14 Jul 2013 16:09:12 GMT) Full text and rfc822 format available.

Acknowledgement sent to Aron Xu <happyaron.xu@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>. (Sun, 14 Jul 2013 16:09:13 GMT) Full text and rfc822 format available.

Message #10 received at 715531@bugs.debian.org (full text, mbox):

From: Aron Xu <happyaron.xu@gmail.com>
To: Moritz Muehlenhoff <jmm@inutil.org>, 715531@bugs.debian.org
Cc: Debian Bug Tracking System <control@bugs.debian.org>
Subject: Re: [xml/sgml-pkgs] Bug#715531: libxml2: CVE-2013-2877
Date: Mon, 15 Jul 2013 00:05:45 +0800
fixed 715531 libxml2/2.9.1+dfsg1-2
thanks

This problem does not exist in 2.9.1, it's some of the last commits
that makes up the release of 2.9.1. I'll have a look at wheezy then.


-- 
Regards,
Aron Xu



Marked as fixed in versions libxml2/2.9.1+dfsg1-2. Request was from Aron Xu <happyaron.xu@gmail.com> to control@bugs.debian.org. (Sun, 14 Jul 2013 16:09:15 GMT) Full text and rfc822 format available.

Marked as fixed in versions libxml2/2.9.1+dfsg1-1. Request was from Michael Gilbert <michael.s.gilbert@gmail.com> to control@bugs.debian.org. (Sun, 13 Oct 2013 05:45:04 GMT) Full text and rfc822 format available.

No longer marked as fixed in versions libxml2/2.9.1+dfsg1-2. Request was from Michael Gilbert <michael.s.gilbert@gmail.com> to control@bugs.debian.org. (Sun, 13 Oct 2013 05:45:05 GMT) Full text and rfc822 format available.

Marked as found in versions libxml2/2.7.8.dfsg-2. Request was from Michael Gilbert <michael.s.gilbert@gmail.com> to control@bugs.debian.org. (Sun, 13 Oct 2013 05:45:06 GMT) Full text and rfc822 format available.

Reply sent to Michael Gilbert <mgilbert@debian.org>:
You have taken responsibility. (Sun, 13 Oct 2013 05:54:05 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Sun, 13 Oct 2013 05:54:05 GMT) Full text and rfc822 format available.

Message #23 received at 715531-close@bugs.debian.org (full text, mbox):

From: Michael Gilbert <mgilbert@debian.org>
To: 715531-close@bugs.debian.org
Date: Sun, 13 Oct 2013 01:50:12 -0400
version: 2.9.1+dfsg1-1



Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 00:13:10 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.