FS#68510 - [libxml2] CVE-2019-20388 CVE-2020-7595 CVE-2020-24977
Attached to Project:
Arch Linux
Opened by loqs (loqs) - Monday, 02 November 2020, 21:57 GMT
Last edited by Jan de Groot (JGC) - Wednesday, 11 November 2020, 15:13 GMT
Opened by loqs (loqs) - Monday, 02 November 2020, 21:57 GMT
Last edited by Jan de Groot (JGC) - Wednesday, 11 November 2020, 15:13 GMT
|
Details
Description:
CVE-2019-20388 A memory leak was found in the xmlSchemaValidateStream function of libxml2. Applications that use this library may be vulnerable to memory not being freed leading to a denial of service. System availability is the highest threat from this vulnerability. Fixed by [1]. CVE-2020-7595 xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. Fixed by [2]. CVE-2020-24977 GNOME project libxml2 v2.9.10 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. Fixed by [3]. Additional info: * libxml2 2.9.10-2 [1] https://gitlab.gnome.org/GNOME/libxml2/commit/7ffcd44d7e6c46704f8af0321d9314cd26e0e18a [2] https://gitlab.gnome.org/GNOME/libxml2/commit/0e1a49c8907645d2e155f0d89d4d9895ac5112b5 [3] https://gitlab.gnome.org/GNOME/libxml2/commit/50f06b3efb638efb0abd95dc62dca05ae67882c2 |
This task depends upon
Closed by Jan de Groot (JGC)
Wednesday, 11 November 2020, 15:13 GMT
Reason for closing: Fixed
Additional comments about closing: Added correct patch, renamed integer overflow patch.
2.9.10-6 (extra)
2.9.10-7 (staging)
Wednesday, 11 November 2020, 15:13 GMT
Reason for closing: Fixed
Additional comments about closing: Added correct patch, renamed integer overflow patch.
2.9.10-6 (extra)
2.9.10-7 (staging)
https://www.mail-archive.com/search?l=touch-packages%40lists.launchpad.net&q=subject:%22%5C%5BTouch%5C-packages%5C%5D+%5C%5BBug+1895839%5C%5D+Re%5C%3A+CVE%5C-2020%5C-24977%22&o=newest&f=1
I'll update the package with the correct patch and inform the Fedora maintainer.