Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#68510 - [libxml2] CVE-2019-20388 CVE-2020-7595 CVE-2020-24977

Attached to Project: Arch Linux
Opened by loqs (loqs) - Monday, 02 November 2020, 21:57 GMT
Last edited by Jan de Groot (JGC) - Wednesday, 11 November 2020, 15:13 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Jan de Groot (JGC)
Levente Polyak (anthraxx)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
CVE-2019-20388
A memory leak was found in the xmlSchemaValidateStream function of libxml2. Applications that use this library may be vulnerable to memory not being freed leading to a denial of service. System availability is the highest threat from this vulnerability. Fixed by [1].

CVE-2020-7595
xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. Fixed by [2].

CVE-2020-24977
GNOME project libxml2 v2.9.10 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. Fixed by [3].

Additional info:
* libxml2 2.9.10-2
[1] https://gitlab.gnome.org/GNOME/libxml2/commit/7ffcd44d7e6c46704f8af0321d9314cd26e0e18a
[2] https://gitlab.gnome.org/GNOME/libxml2/commit/0e1a49c8907645d2e155f0d89d4d9895ac5112b5
[3] https://gitlab.gnome.org/GNOME/libxml2/commit/50f06b3efb638efb0abd95dc62dca05ae67882c2
This task depends upon

Closed by  Jan de Groot (JGC)
Wednesday, 11 November 2020, 15:13 GMT
Reason for closing:  Fixed
Additional comments about closing:  Added correct patch, renamed integer overflow patch.

2.9.10-6 (extra)
2.9.10-7 (staging)
Comment by Remi Gacogne (rgacogne) - Tuesday, 10 November 2020, 21:12 GMT
  • Field changed: Percent Complete (100% → 0%)
Comment by Jan de Groot (JGC) - Wednesday, 11 November 2020, 12:48 GMT
Thanks for noticing. As the PKGBUILD states, these patches were downloaded from Fedora. Seems Ubuntu also found out about this:
https://www.mail-archive.com/search?l=touch-packages%40lists.launchpad.net&q=subject:%22%5C%5BTouch%5C-packages%5C%5D+%5C%5BBug+1895839%5C%5D+Re%5C%3A+CVE%5C-2020%5C-24977%22&o=newest&f=1

I'll update the package with the correct patch and inform the Fedora maintainer.

Loading...