Summary: | <dev-libs/libxml2-2.9.10-r5: Buffer Overflow vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c (CVE-2020-24977) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | base-system, sam |
Priority: | Normal | Flags: | nattka:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://gitlab.gnome.org/GNOME/libxml2/-/issues/178 | ||
Whiteboard: | A3 [glsa+ cve] | ||
Package list: |
dev-libs/libxml2-2.9.10-r5
|
Runtime testing required: | --- |
Description
GLSAMaker/CVETool Bot
2020-10-18 01:21:16 UTC
Upstream fix: https://gitlab.gnome.org/GNOME/libxml2/-/commit/50f06b3efb638efb0abd95dc62dca05ae67882c2 FWIW: https://gitlab.gnome.org/GNOME/libxml2/-/issues/178#note_892545. But there's been a bunch of other useful looking sec-adjacent fixes so let's do a new patchset soon. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3c89772e764f988c990d87a3fd3428894317512e commit 3c89772e764f988c990d87a3fd3428894317512e Author: Sam James <sam@gentoo.org> AuthorDate: 2021-03-11 17:30:06 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-03-11 17:47:45 +0000 dev-libs/libxml2: split CVE patch into new revbump (2.9.10-r5), restore old Bug: https://bugs.gentoo.org/749849 Signed-off-by: Sam James <sam@gentoo.org> .../files/libxml2-2.9.10-xmllint-utf8.patch | 2 + dev-libs/libxml2/libxml2-2.9.10-r4.ebuild | 216 +++++++++++++++++++++ dev-libs/libxml2/libxml2-2.9.10-r5.ebuild | 2 +- 3 files changed, 219 insertions(+), 1 deletion(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cf3128be852f26ac32c5dd67e904012b094b9496 commit cf3128be852f26ac32c5dd67e904012b094b9496 Author: Benjamin Gordon <bmgordon@chromium.org> AuthorDate: 2021-03-05 16:25:29 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-03-11 17:47:44 +0000 dev-libs/libxml2: Add upstream patch for xmllint This fixes an out-of-bounds read in xmllint when built with icu. See CVE-2020-24977 and https://gitlab.gnome.org/GNOME/libxml2/-/issues/178 for more info. Signed-off-by: Benjamin Gordon <bmgordon@chromium.org> Bug: https://bugs.gentoo.org/749849 Closes: https://github.com/gentoo/gentoo/pull/19835 Signed-off-by: Sam James <sam@gentoo.org> .../files/libxml2-2.9.10-xmllint-utf8.patch | 36 ++++++++++++++++++++++ ...2-2.9.10-r4.ebuild => libxml2-2.9.10-r5.ebuild} | 3 ++ 2 files changed, 39 insertions(+) hppa stable ppc done ppc64 done sparc done amd64 stable x86 done arm done arm64 done s390 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. Added to an existing GLSA request. This issue was resolved and addressed in GLSA 202107-05 at https://security.gentoo.org/glsa/202107-05 by GLSA coordinator John Helmert III (ajak). |