Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 842261 (CVE-2022-29824)

Summary: <dev-libs/libxml2-2.9.14: Integer overflows in xmlBuf and xmlBuffer
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: base-system, sam
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 842297, 847127    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-05-03 00:23:06 UTC 
See https://gitlab.gnome.org/GNOME/libxml2/-/commit/6c283d83eccd940bcde15634ac8c7f100e3caefd.

"""
In several places, the code handling string buffers didn't check for
integer overflow or used wrong types for buffer sizes. This could
result in out-of-bounds writes or other memory errors when working on
large, multi-gigabyte buffers.

Thanks to Felix Wilhelm for the report.
"""
Comment 1 Larry the Git Cow gentoo-dev 2022-05-03 00:50:06 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8bbbe5e4ec96f6c8b2d2858f9c23fa8a24a797f2

commit 8bbbe5e4ec96f6c8b2d2858f9c23fa8a24a797f2
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-05-03 00:38:04 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-05-03 00:39:01 +0000

    dev-libs/libxml2: add 2.9.14
    
    Bug: https://bugs.gentoo.org/842261
    Closes: https://bugs.gentoo.org/582130
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/libxml2/Manifest                          |   1 +
 .../files/libxml2-2.9.13-testapi-missing-xml.patch |   9 -
 .../files/libxml2-2.9.8-out-of-tree-test.patch     |  31 ++++
 dev-libs/libxml2/libxml2-2.9.14.ebuild             | 193 +++++++++++++++++++++
 dev-libs/libxml2/libxml2-9999.ebuild               |  51 +++---
 5 files changed, 255 insertions(+), 30 deletions(-)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-14 03:32:17 UTC 
GLSA request filed
Comment 3 Larry the Git Cow gentoo-dev 2022-10-16 14:46:21 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=adf5474fd11ba8a07548c5e37fac5e66db57a112

commit adf5474fd11ba8a07548c5e37fac5e66db57a112
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-16 14:40:08 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-16 14:45:20 +0000

    [ GLSA 202210-03 ] libxml2: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/833809
    Bug: https://bugs.gentoo.org/842261
    Bug: https://bugs.gentoo.org/865727
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-03.xml | 45 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-16 14:54:56 UTC 
GLSA released, all done!