Summary: | <dev-libs/libxml2-2.9.10: multiple vulnerabilities (CVE-{2019-20388,2020-7595) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | ajak, base-system, sam |
Priority: | Normal | Keywords: | PullRequest |
Version: | unspecified | Flags: | nattka:
sanity-check-
|
Hardware: | All | ||
OS: | Linux | ||
See Also: |
https://github.com/gentoo/gentoo/pull/16405 https://bugs.gentoo.org/show_bug.cgi?id=700386 https://bugs.gentoo.org/show_bug.cgi?id=738728 |
||
Whiteboard: | A3 [glsa+ cve] | ||
Package list: |
dev-libs/libxml2-2.9.10-r1 amd64 arm arm64 hppa ppc ppc64 s390 sparc x86
dev-libs/libxslt-1.1.34 amd64 arm arm64 hppa ppc ppc64 s390 sparc x86
|
Runtime testing required: | --- |
Bug Depends on: | 704202, 737024 | ||
Bug Blocks: | 700386 |
Description
GLSAMaker/CVETool Bot
2020-02-25 00:49:02 UTC
(In reply to GLSAMaker/CVETool Bot from comment #0) > CVE-2019-20388 (https://nvd.nist.gov/vuln/detail/CVE-2019-20388): > xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an > xmlSchemaValidateStream memory leak. > PR: https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/68 Patch: https://gitlab.gnome.org/GNOME/libxml2/commit/7ffcd44d7e6c46704f8af0321d9314cd26e0e18a > CVE-2020-7595 (https://nvd.nist.gov/vuln/detail/CVE-2020-7595): > xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite > loop in a certain end-of-file situation. Patch: https://gitlab.gnome.org/GNOME/libxml2/commit/0e1a49c89076 @maintainer(s): ping, please bump There are actually not just these two vulnerabilities. A large number of memory safety bugs have been fixed in the latest release 2.9.10: https://mail.gnome.org/archives/xml/2019-October/msg00014.html This should get a bump asap. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=53ccf8fa1b30f2a7baebd9617de599e3109963b4 commit 53ccf8fa1b30f2a7baebd9617de599e3109963b4 Author: Sam James <sam@gentoo.org> AuthorDate: 2020-06-23 11:28:23 +0000 Commit: Matt Turner <mattst88@gentoo.org> CommitDate: 2020-07-29 20:55:19 +0000 dev-libs/libxml2: security bump to 2.0.10, with patches We bump here to 2.0.10, but include patches up to the upstream commit c0440868. The only modifications made between the git repo from upstream and creation of the patchset tarball were removal of any patches which could not apply because e.g. they touch files not in the release tarball, or were applicable just to fuzzing so not useful here, and git could not apply them anyway. Let's bump to EAPI 7 too, while we're here, to help out the cross compilers. Bug: https://bugs.gentoo.org/710748 Closes: https://bugs.gentoo.org/719088 Closes: https://bugs.gentoo.org/704202 Closes: https://github.com/gentoo/gentoo/pull/16405 Signed-off-by: Sam James <sam@gentoo.org> Signed-off-by: Matt Turner <mattst88@gentoo.org> dev-libs/libxml2/Manifest | 2 + dev-libs/libxml2/libxml2-2.9.10.ebuild | 224 +++++++++++++++++++++++++++++++++ 2 files changed, 226 insertions(+) We'll give it a few days, although it should be fine. *** Bug 729442 has been marked as a duplicate of this bug. *** I think we're good to go. I'll CC-ARCHES later today if no objections. sparc done arm64 done arm done x86 done amd64 done hppa stable The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dc0c637a699f51f9736527c162675b52548207c0 commit dc0c637a699f51f9736527c162675b52548207c0 Author: Sam James <sam@gentoo.org> AuthorDate: 2020-08-16 04:23:08 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-08-16 04:23:15 +0000 dev-libs/libxml2: add upstream patch for consumers Within our patchset (which included various upstream memory correctness fixes), we included a patch (0034-Call-xmlCleanupParser-on-ELF-destruction.patch) which has caused crashes in some applications e.g. nokogiri because they use a custom free handler. We apply upstream's patch for this issue (check-for-custom-free-function-in-global-destructor.patch). We will likely give this a small amount of time in ~arch, then move the stable keywords from 2.9.10 forward, as this is a minor change and affects the current stable for most arches. Bug: https://bugs.gentoo.org/710748 Bug: https://bugs.gentoo.org/737024 Package-Manager: Portage-3.0.2, Repoman-2.3.23 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/libxml2/Manifest | 1 + dev-libs/libxml2/libxml2-2.9.10-r1.ebuild | 224 ++++++++++++++++++++++++++++++ 2 files changed, 225 insertions(+) s390 done ppc64 done ppc stable. Please cleanup. Another (CVE-2020-24977): GNOME project libxml2 v2.9.10 and earlier have a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has been fixed in commit 8e7c20a1 (20910-GITv2.9.10-103-g8e7c20a1). Unable to check for sanity:
> no match for package: dev-libs/libxml2-2.9.10-r1
Removing CVE-2020-24977 which is not handled in this bug. Looks like cleanup was done here: commit f016ee441ef5590db02e09198fcbf6b12a463c50 Author: Matt Turner <mattst88@gentoo.org> Date: Fri Oct 30 18:37:29 2020 -0400 dev-libs/libxml2: Drop old versions Signed-off-by: Matt Turner <mattst88@gentoo.org> delete mode 100644 dev-libs/libxml2/files/2.9.9-python3-unicode-errors.patch delete mode 100644 dev-libs/libxml2/libxml2-2.9.10-r2.ebuild delete mode 100644 dev-libs/libxml2/libxml2-2.9.9-r4.ebuild Unable to check for sanity:
> no match for package: dev-libs/libxml2-2.9.10-r1
new GLSA req filed (In reply to Sam James from comment #23) > new GLSA req filed Nope! https://security.gentoo.org/glsa/202010-04 |