Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 931977 (CVE-2024-34459) - <dev-libs/libxml2-{2.11.8, 2.12.7}: Buffer overread with xmllint --htmlout
Summary: <dev-libs/libxml2-{2.11.8, 2.12.7}: Buffer overread with xmllint --htmlout
Status: IN_PROGRESS
Alias: CVE-2024-34459
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [stable?]
Keywords:
Depends on:
Blocks:
 
Reported: 2024-05-16 02:24 UTC by Sam James
Modified: 2024-05-16 08:00 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-05-16 02:24:57 UTC
.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-05-16 02:29:24 UTC
--- /tmp/mgorny-dev-scripts/portage/dev-libs/libxml2-2.12.6/work/libxml2-2.12.6/NEWS    2024-03-15 11:11:03.000000000 +0000
+++ /tmp/mgorny-dev-scripts/portage/dev-libs/libxml2-2.12.7/work/libxml2-2.12.7/NEWS    2024-05-13 10:33:44.000000000 +0100
@@ -1,5 +1,17 @@
 NEWS file for libxml2
 
+v2.12.7: May 13 2024
+
+### Security
+
+- [CVE-2024-34459] Fix buffer overread with `xmllint --htmlout`
+
+### Regressions
+
+- xmllint: Fix --pedantic option
+- save: Handle invalid parent pointers in xhtmlNodeDumpOutput
+
+
 v2.12.6: Mar 15 2024
Comment 2 Larry the Git Cow gentoo-dev 2024-05-16 02:33:27 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4a8fa62d4d5cf10ff21bf89beb43a36971a80622

commit 4a8fa62d4d5cf10ff21bf89beb43a36971a80622
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-05-16 02:32:38 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-05-16 02:32:38 +0000

    dev-libs/libxml2: add 2.12.7
    
    Bug: https://bugs.gentoo.org/931977
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/libxml2/Manifest              |   1 +
 dev-libs/libxml2/libxml2-2.12.7.ebuild | 196 +++++++++++++++++++++++++++++++++
 2 files changed, 197 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3bd896997dcd48ebc5a11e7b3801ae7f82b9dc23

commit 3bd896997dcd48ebc5a11e7b3801ae7f82b9dc23
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-05-16 02:28:53 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-05-16 02:28:53 +0000

    dev-libs/libxml2: add 2.11.8
    
    Bug: https://bugs.gentoo.org/931977
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/libxml2/Manifest              |   1 +
 dev-libs/libxml2/libxml2-2.11.8.ebuild | 200 +++++++++++++++++++++++++++++++++
 2 files changed, 201 insertions(+)
Comment 3 Agostino Sarubbo gentoo-dev 2024-05-16 08:00:22 UTC
I don't know why a cve was assigned to this issue. At the time I was active in fuzzing, mitre said that read issues in command line tools are considered an inconvenience.