Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 931977 (CVE-2024-34459)

Summary: <dev-libs/libxml2-{2.11.8, 2.12.7}: Buffer overread with xmllint --htmlout
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal CC: base-system, sam
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [stable]
Package list:
Runtime testing required: ---
Bug Depends on: 934868, 934882    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-05-16 02:24:57 UTC 
.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-05-16 02:29:24 UTC 
--- /tmp/mgorny-dev-scripts/portage/dev-libs/libxml2-2.12.6/work/libxml2-2.12.6/NEWS    2024-03-15 11:11:03.000000000 +0000
+++ /tmp/mgorny-dev-scripts/portage/dev-libs/libxml2-2.12.7/work/libxml2-2.12.7/NEWS    2024-05-13 10:33:44.000000000 +0100
@@ -1,5 +1,17 @@
 NEWS file for libxml2
 
+v2.12.7: May 13 2024
+
+### Security
+
+- [CVE-2024-34459] Fix buffer overread with `xmllint --htmlout`
+
+### Regressions
+
+- xmllint: Fix --pedantic option
+- save: Handle invalid parent pointers in xhtmlNodeDumpOutput
+
+
 v2.12.6: Mar 15 2024
Comment 2 Larry the Git Cow gentoo-dev 2024-05-16 02:33:27 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4a8fa62d4d5cf10ff21bf89beb43a36971a80622

commit 4a8fa62d4d5cf10ff21bf89beb43a36971a80622
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-05-16 02:32:38 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-05-16 02:32:38 +0000

    dev-libs/libxml2: add 2.12.7
    
    Bug: https://bugs.gentoo.org/931977
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/libxml2/Manifest              |   1 +
 dev-libs/libxml2/libxml2-2.12.7.ebuild | 196 +++++++++++++++++++++++++++++++++
 2 files changed, 197 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3bd896997dcd48ebc5a11e7b3801ae7f82b9dc23

commit 3bd896997dcd48ebc5a11e7b3801ae7f82b9dc23
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-05-16 02:28:53 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-05-16 02:28:53 +0000

    dev-libs/libxml2: add 2.11.8
    
    Bug: https://bugs.gentoo.org/931977
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/libxml2/Manifest              |   1 +
 dev-libs/libxml2/libxml2-2.11.8.ebuild | 200 +++++++++++++++++++++++++++++++++
 2 files changed, 201 insertions(+)
Comment 3 Agostino Sarubbo gentoo-dev 2024-05-16 08:00:22 UTC 
I don't know why a cve was assigned to this issue. At the time I was active in fuzzing, mitre said that read issues in command line tools are considered an inconvenience.