Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 749849 (CVE-2020-24977) - <dev-libs/libxml2-2.9.10-r5: Buffer Overflow vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c (CVE-2020-24977)
Summary: <dev-libs/libxml2-2.9.10-r5: Buffer Overflow vulnerability in xmlEncodeEntiti...
Status: RESOLVED FIXED
Alias: CVE-2020-24977
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://gitlab.gnome.org/GNOME/libxml...
Whiteboard: A3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-10-18 01:21 UTC by GLSAMaker/CVETool Bot
Modified: 2021-07-06 03:29 UTC (History)
2 users (show)

See Also:
Package list:
dev-libs/libxml2-2.9.10-r5
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2020-10-18 01:21:16 UTC 
CVE-2020-24977 (https://nvd.nist.gov/vuln/detail/CVE-2020-24977):
  GNOME project libxml2 v2.9.10 and earlier have a global buffer over-read
  vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue
  has been fixed in commit 8e7c20a1 (20910-GITv2.9.10-103-g8e7c20a1).
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2020-10-18 01:23:22 UTC 
Upstream fix: https://gitlab.gnome.org/GNOME/libxml2/-/commit/50f06b3efb638efb0abd95dc62dca05ae67882c2
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-24 12:03:02 UTC 
FWIW: https://gitlab.gnome.org/GNOME/libxml2/-/issues/178#note_892545.

But there's been a bunch of other useful looking sec-adjacent fixes so let's do a new patchset soon.
Comment 3 Larry the Git Cow gentoo-dev 2021-03-11 17:47:56 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3c89772e764f988c990d87a3fd3428894317512e

commit 3c89772e764f988c990d87a3fd3428894317512e
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-03-11 17:30:06 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-03-11 17:47:45 +0000

    dev-libs/libxml2: split CVE patch into new revbump (2.9.10-r5), restore old
    
    Bug: https://bugs.gentoo.org/749849
    Signed-off-by: Sam James <sam@gentoo.org>

 .../files/libxml2-2.9.10-xmllint-utf8.patch        |   2 +
 dev-libs/libxml2/libxml2-2.9.10-r4.ebuild          | 216 +++++++++++++++++++++
 dev-libs/libxml2/libxml2-2.9.10-r5.ebuild          |   2 +-
 3 files changed, 219 insertions(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cf3128be852f26ac32c5dd67e904012b094b9496

commit cf3128be852f26ac32c5dd67e904012b094b9496
Author:     Benjamin Gordon <bmgordon@chromium.org>
AuthorDate: 2021-03-05 16:25:29 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-03-11 17:47:44 +0000

    dev-libs/libxml2: Add upstream patch for xmllint
    
    This fixes an out-of-bounds read in xmllint when built with icu.  See
    CVE-2020-24977 and https://gitlab.gnome.org/GNOME/libxml2/-/issues/178
    for more info.
    
    Signed-off-by: Benjamin Gordon <bmgordon@chromium.org>
    Bug: https://bugs.gentoo.org/749849
    Closes: https://github.com/gentoo/gentoo/pull/19835
    Signed-off-by: Sam James <sam@gentoo.org>

 .../files/libxml2-2.9.10-xmllint-utf8.patch        | 36 ++++++++++++++++++++++
 ...2-2.9.10-r4.ebuild => libxml2-2.9.10-r5.ebuild} |  3 ++
 2 files changed, 39 insertions(+)
Comment 4 Rolf Eike Beer archtester 2021-03-25 06:41:51 UTC 
hppa stable
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-25 23:17:28 UTC 
ppc done
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-25 23:18:23 UTC 
ppc64 done
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-25 23:39:18 UTC 
sparc done
Comment 8 Agostino Sarubbo gentoo-dev 2021-03-26 15:31:59 UTC 
amd64 stable
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-26 18:36:11 UTC 
x86 done
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-27 16:05:09 UTC 
arm done
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-27 16:05:24 UTC 
arm64 done
Comment 12 Agostino Sarubbo gentoo-dev 2021-03-27 18:26:01 UTC 
s390 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 13 Thomas Deutschmann (RETIRED) gentoo-dev 2021-05-24 00:16:17 UTC 
Added to an existing GLSA request.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2021-07-06 03:29:39 UTC 
This issue was resolved and addressed in
 GLSA 202107-05 at https://security.gentoo.org/glsa/202107-05
by GLSA coordinator John Helmert III (ajak).