Bug 710748 (CVE-2019-20388, CVE-2020-7595)

Comment 1 Sam James 2020-03-16 18:45:04 UTC

(In reply to GLSAMaker/CVETool Bot from comment #0)
> CVE-2019-20388 (https://nvd.nist.gov/vuln/detail/CVE-2019-20388):
>   xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an
>   xmlSchemaValidateStream memory leak.
> 

PR: https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/68
Patch: https://gitlab.gnome.org/GNOME/libxml2/commit/7ffcd44d7e6c46704f8af0321d9314cd26e0e18a

> CVE-2020-7595 (https://nvd.nist.gov/vuln/detail/CVE-2020-7595):
>   xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite
>   loop in a certain end-of-file situation.

Patch: https://gitlab.gnome.org/GNOME/libxml2/commit/0e1a49c89076

Comment 2 Sam James 2020-04-22 01:36:56 UTC

@maintainer(s): ping, please bump

Comment 3 Hanno Böck 2020-06-20 16:36:23 UTC

There are actually not just these two vulnerabilities. A large number of memory safety bugs have been fixed in the latest release 2.9.10:
https://mail.gnome.org/archives/xml/2019-October/msg00014.html

This should get a bump asap.

Comment 4 Larry the Git Cow 2020-07-29 20:55:43 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=53ccf8fa1b30f2a7baebd9617de599e3109963b4

commit 53ccf8fa1b30f2a7baebd9617de599e3109963b4
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-06-23 11:28:23 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2020-07-29 20:55:19 +0000

    dev-libs/libxml2: security bump to 2.0.10, with patches
    
    We bump here to 2.0.10, but include patches up to the upstream commit
    c0440868.
    
    The only modifications made between the git repo from upstream and
    creation of the patchset tarball were removal of any patches which could
    not apply because e.g. they touch files not in the release tarball, or
    were applicable just to fuzzing so not useful here, and git could not
    apply them anyway.
    
    Let's bump to EAPI 7 too, while we're here, to help out the cross
    compilers.
    
    Bug: https://bugs.gentoo.org/710748
    Closes: https://bugs.gentoo.org/719088
    Closes: https://bugs.gentoo.org/704202
    Closes: https://github.com/gentoo/gentoo/pull/16405
    Signed-off-by: Sam James <sam@gentoo.org>
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 dev-libs/libxml2/Manifest              |   2 +
 dev-libs/libxml2/libxml2-2.9.10.ebuild | 224 +++++++++++++++++++++++++++++++++
 2 files changed, 226 insertions(+)

Comment 5 Sam James 2020-07-29 21:03:07 UTC

We'll give it a few days, although it should be fine.

*** Bug 729442 has been marked as a duplicate of this bug. ***

Comment 7 Sam James 2020-08-11 08:30:17 UTC

I think we're good to go. I'll CC-ARCHES later today if no objections.

Comment 8 Sam James 2020-08-12 04:00:27 UTC

sparc done

Comment 9 Sam James 2020-08-12 04:01:53 UTC

arm64 done

Comment 10 Sam James 2020-08-12 10:49:35 UTC

arm done

Comment 11 Sam James 2020-08-14 16:02:30 UTC

x86 done

Comment 12 Sam James 2020-08-14 17:19:09 UTC

amd64 done

Comment 13 Sergei Trofimovich (RETIRED) 2020-08-15 07:42:45 UTC

hppa stable

Comment 14 Larry the Git Cow 2020-08-16 04:23:22 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dc0c637a699f51f9736527c162675b52548207c0

commit dc0c637a699f51f9736527c162675b52548207c0
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-08-16 04:23:08 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-08-16 04:23:15 +0000

    dev-libs/libxml2: add upstream patch for consumers
    
    Within our patchset (which included various upstream memory
    correctness fixes), we included a patch
    (0034-Call-xmlCleanupParser-on-ELF-destruction.patch)
    
    which has caused crashes in some applications e.g. nokogiri
    because they use a custom free handler.
    
    We apply upstream's patch for this issue
    (check-for-custom-free-function-in-global-destructor.patch).
    
    We will likely give this a small amount of time in ~arch,
    then move the stable keywords from 2.9.10 forward,
    as this is a minor change and affects the current stable
    for most arches.
    
    Bug: https://bugs.gentoo.org/710748
    Bug: https://bugs.gentoo.org/737024
    Package-Manager: Portage-3.0.2, Repoman-2.3.23
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/libxml2/Manifest                 |   1 +
 dev-libs/libxml2/libxml2-2.9.10-r1.ebuild | 224 ++++++++++++++++++++++++++++++
 2 files changed, 225 insertions(+)

Comment 15 Sam James 2020-08-17 01:09:37 UTC

s390 done

Comment 16 Sam James 2020-08-31 04:03:05 UTC

ppc64 done

Comment 17 Sam James 2020-09-06 16:17:17 UTC

ppc stable. Please cleanup.

Comment 18 John Helmert III 2020-09-18 04:30:12 UTC

Another (CVE-2020-24977):

GNOME project libxml2 v2.9.10 and earlier have a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has been fixed in commit 8e7c20a1 (20910-GITv2.9.10-103-g8e7c20a1).

Comment 20 Thomas Deutschmann (RETIRED) 2020-10-18 01:17:32 UTC

Removing CVE-2020-24977 which is not handled in this bug.

Comment 21 John Helmert III 2020-12-27 09:03:51 UTC

Looks like cleanup was done here:

commit f016ee441ef5590db02e09198fcbf6b12a463c50
Author: Matt Turner <mattst88@gentoo.org>
Date:   Fri Oct 30 18:37:29 2020 -0400

    dev-libs/libxml2: Drop old versions

    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 delete mode 100644 dev-libs/libxml2/files/2.9.9-python3-unicode-errors.patch
 delete mode 100644 dev-libs/libxml2/libxml2-2.9.10-r2.ebuild
 delete mode 100644 dev-libs/libxml2/libxml2-2.9.9-r4.ebuild

Comment 22 NATTkA bot 2020-12-27 09:05:17 UTC

Unable to check for sanity:

> no match for package: dev-libs/libxml2-2.9.10-r1

Comment 23 Sam James 2020-12-27 17:59:37 UTC

new GLSA req filed

Comment 24 Sam James 2021-01-08 13:31:30 UTC

(In reply to Sam James from comment #23)
> new GLSA req filed

Nope!

https://security.gentoo.org/glsa/202010-04