Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 842261 (CVE-2022-29824)

Summary: <dev-libs/libxml2-2.9.14: Integer overflows in xmlBuf and xmlBuffer
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal CC: base-system, sam
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa? cleanup]
Package list:
Runtime testing required: ---
Bug Depends on: 842297, 847127    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-05-03 00:23:06 UTC
See https://gitlab.gnome.org/GNOME/libxml2/-/commit/6c283d83eccd940bcde15634ac8c7f100e3caefd.

"""
In several places, the code handling string buffers didn't check for
integer overflow or used wrong types for buffer sizes. This could
result in out-of-bounds writes or other memory errors when working on
large, multi-gigabyte buffers.

Thanks to Felix Wilhelm for the report.
"""
Comment 1 Larry the Git Cow gentoo-dev 2022-05-03 00:50:06 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8bbbe5e4ec96f6c8b2d2858f9c23fa8a24a797f2

commit 8bbbe5e4ec96f6c8b2d2858f9c23fa8a24a797f2
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-05-03 00:38:04 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-05-03 00:39:01 +0000

    dev-libs/libxml2: add 2.9.14
    
    Bug: https://bugs.gentoo.org/842261
    Closes: https://bugs.gentoo.org/582130
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/libxml2/Manifest                          |   1 +
 .../files/libxml2-2.9.13-testapi-missing-xml.patch |   9 -
 .../files/libxml2-2.9.8-out-of-tree-test.patch     |  31 ++++
 dev-libs/libxml2/libxml2-2.9.14.ebuild             | 193 +++++++++++++++++++++
 dev-libs/libxml2/libxml2-9999.ebuild               |  51 +++---
 5 files changed, 255 insertions(+), 30 deletions(-)