CVE-2020-24977 (https://nvd.nist.gov/vuln/detail/CVE-2020-24977): GNOME project libxml2 v2.9.10 and earlier have a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has been fixed in commit 8e7c20a1 (20910-GITv2.9.10-103-g8e7c20a1).
Upstream fix: https://gitlab.gnome.org/GNOME/libxml2/-/commit/50f06b3efb638efb0abd95dc62dca05ae67882c2
FWIW: https://gitlab.gnome.org/GNOME/libxml2/-/issues/178#note_892545. But there's been a bunch of other useful looking sec-adjacent fixes so let's do a new patchset soon.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3c89772e764f988c990d87a3fd3428894317512e commit 3c89772e764f988c990d87a3fd3428894317512e Author: Sam James <sam@gentoo.org> AuthorDate: 2021-03-11 17:30:06 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-03-11 17:47:45 +0000 dev-libs/libxml2: split CVE patch into new revbump (2.9.10-r5), restore old Bug: https://bugs.gentoo.org/749849 Signed-off-by: Sam James <sam@gentoo.org> .../files/libxml2-2.9.10-xmllint-utf8.patch | 2 + dev-libs/libxml2/libxml2-2.9.10-r4.ebuild | 216 +++++++++++++++++++++ dev-libs/libxml2/libxml2-2.9.10-r5.ebuild | 2 +- 3 files changed, 219 insertions(+), 1 deletion(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cf3128be852f26ac32c5dd67e904012b094b9496 commit cf3128be852f26ac32c5dd67e904012b094b9496 Author: Benjamin Gordon <bmgordon@chromium.org> AuthorDate: 2021-03-05 16:25:29 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-03-11 17:47:44 +0000 dev-libs/libxml2: Add upstream patch for xmllint This fixes an out-of-bounds read in xmllint when built with icu. See CVE-2020-24977 and https://gitlab.gnome.org/GNOME/libxml2/-/issues/178 for more info. Signed-off-by: Benjamin Gordon <bmgordon@chromium.org> Bug: https://bugs.gentoo.org/749849 Closes: https://github.com/gentoo/gentoo/pull/19835 Signed-off-by: Sam James <sam@gentoo.org> .../files/libxml2-2.9.10-xmllint-utf8.patch | 36 ++++++++++++++++++++++ ...2-2.9.10-r4.ebuild => libxml2-2.9.10-r5.ebuild} | 3 ++ 2 files changed, 39 insertions(+)
hppa stable
ppc done
ppc64 done
sparc done
amd64 stable
x86 done
arm done
arm64 done
s390 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Added to an existing GLSA request.
This issue was resolved and addressed in GLSA 202107-05 at https://security.gentoo.org/glsa/202107-05 by GLSA coordinator John Helmert III (ajak).