Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 842261 (CVE-2022-29824) - <dev-libs/libxml2-2.9.14: Integer overflows in xmlBuf and xmlBuffer
Summary: <dev-libs/libxml2-2.9.14: Integer overflows in xmlBuf and xmlBuffer
Status: RESOLVED FIXED
Alias: CVE-2022-29824
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa+]
Keywords:
Depends on: 842297 847127
Blocks:
  Show dependency tree
 
Reported: 2022-05-03 00:23 UTC by Sam James
Modified: 2022-10-16 14:54 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-05-03 00:23:06 UTC
See https://gitlab.gnome.org/GNOME/libxml2/-/commit/6c283d83eccd940bcde15634ac8c7f100e3caefd.

"""
In several places, the code handling string buffers didn't check for
integer overflow or used wrong types for buffer sizes. This could
result in out-of-bounds writes or other memory errors when working on
large, multi-gigabyte buffers.

Thanks to Felix Wilhelm for the report.
"""
Comment 1 Larry the Git Cow gentoo-dev 2022-05-03 00:50:06 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8bbbe5e4ec96f6c8b2d2858f9c23fa8a24a797f2

commit 8bbbe5e4ec96f6c8b2d2858f9c23fa8a24a797f2
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-05-03 00:38:04 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-05-03 00:39:01 +0000

    dev-libs/libxml2: add 2.9.14
    
    Bug: https://bugs.gentoo.org/842261
    Closes: https://bugs.gentoo.org/582130
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/libxml2/Manifest                          |   1 +
 .../files/libxml2-2.9.13-testapi-missing-xml.patch |   9 -
 .../files/libxml2-2.9.8-out-of-tree-test.patch     |  31 ++++
 dev-libs/libxml2/libxml2-2.9.14.ebuild             | 193 +++++++++++++++++++++
 dev-libs/libxml2/libxml2-9999.ebuild               |  51 +++---
 5 files changed, 255 insertions(+), 30 deletions(-)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-14 03:32:17 UTC
GLSA request filed
Comment 3 Larry the Git Cow gentoo-dev 2022-10-16 14:46:21 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=adf5474fd11ba8a07548c5e37fac5e66db57a112

commit adf5474fd11ba8a07548c5e37fac5e66db57a112
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-16 14:40:08 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-16 14:45:20 +0000

    [ GLSA 202210-03 ] libxml2: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/833809
    Bug: https://bugs.gentoo.org/842261
    Bug: https://bugs.gentoo.org/865727
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-03.xml | 45 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-16 14:54:56 UTC
GLSA released, all done!