Xerces-C++: Multiple vulnerabilities — GLSA 201612-46

Multiple vulnerabilities have been found in Xerces-C++, the worst of which may allow remote attackers to execute arbitrary code.

Affected Packages

dev-libs/xerces-c on all architectures
Affected versions < 3.1.4-r1
Unaffected versions >= 3.1.4-r1

Background

Xerces-C++ is a validating XML parser written in a portable subset of C++.

Description

Multiple vulnerabilities have been discovered in Xerces-C++. Please review the CVE identifiers referenced below for details.

Impact

A remote attacker could entice a user to process a specially crafted file, possibly resulting in the remote execution of arbitrary code with the privileges of the process, or a Denial of Service condition.

Workaround

There is no known workaround at this time.

Resolution

All Xerces-C++ users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-libs/xerces-c-3.1.4-r1"
 

References

Release Date
December 24, 2016

Latest Revision
December 24, 2016: 1

Severity
normal

Exploitable
local, remote

Bugzilla entries