Bug 661471 - VUL-0: libxml2: double free in Xpath processing
VUL-0: libxml2: double free in Xpath processing
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
Other Other
: P2 - High : Major
: ---
Assigned To: Security Team bot
Security Team bot
libxml2 maint:released:11.2:38021 mai...
Depends on:
  Show dependency treegraph
Reported: 2010-12-27 10:50 UTC by Thomas Biege
Modified: 2019-09-25 15:55 UTC (History)
3 users (show)

See Also:
Found By: Development
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Biege 2010-12-27 10:50:20 UTC
There is a security bug in package 'libxml2'.

This bug is public.

There is no coordinated release date (CRD) set.

More information can be found here:

CVE number: CVE-2010-4494
CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4494
This issue seems to be different from bnc#648277

Original posting:

----------  Weitergeleitete Nachricht  ----------

Betreff: [Full-disclosure] [SECURITY] [DSA 2137-1] Security update for libxml2
Datum: Sonntag 26 Dezember 2010
Von: Moritz Muehlenhoff <jmm@debian.org>
An: debian-security-announce@lists.debian.org

Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-2137-1                  security@debian.org
http://www.debian.org/security/                       Moritz Muehlenhoff
December 26, 2010                     http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : libxml2
Vulnerability  : several
Problem type   : local(remote)
Debian-specific: no
CVE Id(s)      : CVE-2010-4494

Yang Dingning discovered a double free in libxml's Xpath processing, 
which might allow the execution of arbitrary code.

For the stable distribution (lenny), this problem has been fixed
in version 2.6.32.dfsg-5+lenny3.

For the upcoming stable distribution (squeeze) and the unstable
distribution (sid), this problem has been fixed in version 

We recommend that you upgrade your libxml2 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
Version: GnuPG v1.4.10 (GNU/Linux)


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 Thomas Biege <thomas@suse.de>, SUSE LINUX, Security Support & Auditing
 SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
  Wer aufhoert besser werden zu wollen, hoert auf gut zu sein.
                            -- Marie von Ebner-Eschenbach
Comment 1 Petr Uzel 2011-01-03 11:09:20 UTC
Submitted to

- Factory : sr#56998
- 11.1    : sr#57003
- 11.2    : sr#57002
- 11.3    : sr#57001

- SLE11-SP1 : sr#9907

[SLE10 and earlier are not affected.]
Comment 2 Swamp Workflow Management 2011-01-04 12:50:17 UTC
The SWAMPID for this issue is 38020.
This issue was rated as moderate.
Please submit fixed packages until 2011-01-18.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 3 Sebastian Krahmer 2011-01-04 14:40:59 UTC
BTW, does this also include patch for planned update for
Comment 4 Petr Uzel 2011-01-05 07:25:20 UTC
(In reply to comment #3)
> BTW, does this also include patch for planned update for
> bnc#635119?

Oops, no; I'll add it and resubmit.
Comment 5 Sebastian Krahmer 2011-01-05 07:44:39 UTC
This is only a re-submit for SLE11-SP1 right?
So I dont need to resubmit box PI's.
Comment 6 Petr Uzel 2011-01-05 07:54:23 UTC
(In reply to comment #5)
> This is only a re-submit for SLE11-SP1 right?

Yes, I will resubmit only for SLE11-SP1.

> So I dont need to resubmit box PI's.

Sorry, I don't know what "box PI's" mean.
Comment 7 Petr Uzel 2011-01-05 08:49:39 UTC
Resubmitted as sr#9930
Comment 8 Swamp Workflow Management 2011-03-30 14:12:28 UTC
Update released for: libxml2, libxml2-debuginfo, libxml2-debuginfo-32bit, libxml2-debuginfo-x86, libxml2-debugsource, libxml2-devel, libxml2-doc
openSUSE 11.2 (debug, i586, x86_64)
openSUSE 11.3 (debug, i586, x86_64)
Comment 9 Ludwig Nussel 2011-03-30 14:12:35 UTC
Comment 10 Swamp Workflow Management 2011-03-31 11:19:24 UTC
Update released for: libxml2, libxml2-32bit, libxml2-debuginfo, libxml2-debuginfo-32bit, libxml2-debuginfo-64bit, libxml2-debuginfo-x86, libxml2-debugsource, libxml2-devel, libxml2-devel-32bit, libxml2-doc, libxml2-x86
SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP1 (i386, x86_64)
SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP1 (i386, x86_64)