Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 710748 (CVE-2019-20388, CVE-2020-7595) - <dev-libs/libxml2-2.9.10: multiple vulnerabilities (CVE-{2019-20388,2020-7595)
Summary: <dev-libs/libxml2-2.9.10: multiple vulnerabilities (CVE-{2019-20388,2020-7595)
Status: IN_PROGRESS
Alias: CVE-2019-20388, CVE-2020-7595
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa cve cleanup]
Keywords: CC-ARCHES, PullRequest
: 729442 (view as bug list)
Depends on: 704202 737024
Blocks: CVE-2019-13117, CVE-2019-13118, CVE-2019-18197
  Show dependency tree
 
Reported: 2020-02-25 00:49 UTC by GLSAMaker/CVETool Bot
Modified: 2020-10-18 01:18 UTC (History)
2 users (show)

See Also:
Package list:
dev-libs/libxml2-2.9.10-r1 amd64 arm arm64 hppa ppc ppc64 s390 sparc x86 dev-libs/libxslt-1.1.34 amd64 arm arm64 hppa ppc ppc64 s390 sparc x86
Runtime testing required: ---
nattka: sanity-check-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2020-02-25 00:49:02 UTC
CVE-2019-20388 (https://nvd.nist.gov/vuln/detail/CVE-2019-20388):
  xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an
  xmlSchemaValidateStream memory leak.

CVE-2020-7595 (https://nvd.nist.gov/vuln/detail/CVE-2020-7595):
  xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite
  loop in a certain end-of-file situation.
Comment 1 Sam James archtester gentoo-dev Security 2020-03-16 18:45:04 UTC
(In reply to GLSAMaker/CVETool Bot from comment #0)
> CVE-2019-20388 (https://nvd.nist.gov/vuln/detail/CVE-2019-20388):
>   xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an
>   xmlSchemaValidateStream memory leak.
> 

PR: https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/68
Patch: https://gitlab.gnome.org/GNOME/libxml2/commit/7ffcd44d7e6c46704f8af0321d9314cd26e0e18a

> CVE-2020-7595 (https://nvd.nist.gov/vuln/detail/CVE-2020-7595):
>   xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite
>   loop in a certain end-of-file situation.

Patch: https://gitlab.gnome.org/GNOME/libxml2/commit/0e1a49c89076
Comment 2 Sam James archtester gentoo-dev Security 2020-04-22 01:36:56 UTC
@maintainer(s): ping, please bump
Comment 3 Hanno Böck gentoo-dev 2020-06-20 16:36:23 UTC
There are actually not just these two vulnerabilities. A large number of memory safety bugs have been fixed in the latest release 2.9.10:
https://mail.gnome.org/archives/xml/2019-October/msg00014.html

This should get a bump asap.
Comment 4 Larry the Git Cow gentoo-dev 2020-07-29 20:55:43 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=53ccf8fa1b30f2a7baebd9617de599e3109963b4

commit 53ccf8fa1b30f2a7baebd9617de599e3109963b4
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-06-23 11:28:23 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2020-07-29 20:55:19 +0000

    dev-libs/libxml2: security bump to 2.0.10, with patches
    
    We bump here to 2.0.10, but include patches up to the upstream commit
    c0440868.
    
    The only modifications made between the git repo from upstream and
    creation of the patchset tarball were removal of any patches which could
    not apply because e.g. they touch files not in the release tarball, or
    were applicable just to fuzzing so not useful here, and git could not
    apply them anyway.
    
    Let's bump to EAPI 7 too, while we're here, to help out the cross
    compilers.
    
    Bug: https://bugs.gentoo.org/710748
    Closes: https://bugs.gentoo.org/719088
    Closes: https://bugs.gentoo.org/704202
    Closes: https://github.com/gentoo/gentoo/pull/16405
    Signed-off-by: Sam James <sam@gentoo.org>
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 dev-libs/libxml2/Manifest              |   2 +
 dev-libs/libxml2/libxml2-2.9.10.ebuild | 224 +++++++++++++++++++++++++++++++++
 2 files changed, 226 insertions(+)
Comment 5 Sam James archtester gentoo-dev Security 2020-07-29 21:03:07 UTC
We'll give it a few days, although it should be fine.
Comment 6 charles17 2020-07-30 09:18:34 UTC
*** Bug 729442 has been marked as a duplicate of this bug. ***
Comment 7 Sam James archtester gentoo-dev Security 2020-08-11 08:30:17 UTC
I think we're good to go. I'll CC-ARCHES later today if no objections.
Comment 8 Sam James archtester gentoo-dev Security 2020-08-12 04:00:27 UTC
sparc done
Comment 9 Sam James archtester gentoo-dev Security 2020-08-12 04:01:53 UTC
arm64 done
Comment 10 Sam James archtester gentoo-dev Security 2020-08-12 10:49:35 UTC
arm done
Comment 11 Sam James archtester gentoo-dev Security 2020-08-14 16:02:30 UTC
x86 done
Comment 12 Sam James archtester gentoo-dev Security 2020-08-14 17:19:09 UTC
amd64 done
Comment 13 Sergei Trofimovich gentoo-dev 2020-08-15 07:42:45 UTC
hppa stable
Comment 14 Larry the Git Cow gentoo-dev 2020-08-16 04:23:22 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dc0c637a699f51f9736527c162675b52548207c0

commit dc0c637a699f51f9736527c162675b52548207c0
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-08-16 04:23:08 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-08-16 04:23:15 +0000

    dev-libs/libxml2: add upstream patch for consumers
    
    Within our patchset (which included various upstream memory
    correctness fixes), we included a patch
    (0034-Call-xmlCleanupParser-on-ELF-destruction.patch)
    
    which has caused crashes in some applications e.g. nokogiri
    because they use a custom free handler.
    
    We apply upstream's patch for this issue
    (check-for-custom-free-function-in-global-destructor.patch).
    
    We will likely give this a small amount of time in ~arch,
    then move the stable keywords from 2.9.10 forward,
    as this is a minor change and affects the current stable
    for most arches.
    
    Bug: https://bugs.gentoo.org/710748
    Bug: https://bugs.gentoo.org/737024
    Package-Manager: Portage-3.0.2, Repoman-2.3.23
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/libxml2/Manifest                 |   1 +
 dev-libs/libxml2/libxml2-2.9.10-r1.ebuild | 224 ++++++++++++++++++++++++++++++
 2 files changed, 225 insertions(+)
Comment 15 Sam James archtester gentoo-dev Security 2020-08-17 01:09:37 UTC
s390 done
Comment 16 Sam James archtester gentoo-dev Security 2020-08-31 04:03:05 UTC
ppc64 done
Comment 17 Sam James archtester gentoo-dev Security 2020-09-06 16:17:17 UTC
ppc stable. Please cleanup.
Comment 18 John Helmert III (ajak) 2020-09-18 04:30:12 UTC
Another (CVE-2020-24977):

GNOME project libxml2 v2.9.10 and earlier have a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has been fixed in commit 8e7c20a1 (20910-GITv2.9.10-103-g8e7c20a1).
Comment 19 NATTkA bot gentoo-dev 2020-09-26 16:25:20 UTC
Unable to check for sanity:

> no match for package: dev-libs/libxml2-2.9.10-r1
Comment 20 Thomas Deutschmann gentoo-dev Security 2020-10-18 01:17:32 UTC
Removing CVE-2020-24977 which is not handled in this bug.