Debian-LTS has issued an advisory on September 10: https://www.debian.org/lts/security/2020/dla-2369 Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
I think it should be OK to assign this to you, Shlomi.
Assignee: bugsquad => shlomif
openSUSE has issued an advisory for this on September 19: https://lists.opensuse.org/opensuse-security-announce/2020-09/msg00061.html
Fedora has issued an advisory for this on September 16: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2NQ5GTDYOVH26PBCPYXXMGW5ZZXWMGZC/
Fedora has issued an updated advisory for this on November 14: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ENEHQIBMSI6TZVS35Y6I4FCTYUQDLJVP/
Patched packages uploaded for Mageia 7 and Cauldron. Advisory: ======================== Updated libxml2 packages fix security vulnerability: libxml2 v2.9.10 and earlier has a global Buffer Overflow vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c (CVE-2020-24977). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24977 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2NQ5GTDYOVH26PBCPYXXMGW5ZZXWMGZC/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ENEHQIBMSI6TZVS35Y6I4FCTYUQDLJVP/ ======================== Updated packages in core/updates_testing: ======================== libxml2_2-2.9.9-2.5.mga7 libxml2-utils-2.9.9-2.5.mga7 libxml2-python-2.9.9-2.5.mga7 libxml2-python3-2.9.9-2.5.mga7 libxml2-devel-2.9.9-2.5.mga7 from libxml2-2.9.9-2.5.mga7.src.rpm
Assignee: shlomif => qa-bugsVersion: Cauldron => 7Whiteboard: MGA7TOO => (none)
mga7, x64 CVE-2020-24977 https://gitlab.gnome.org/GNOME/libxml2/-/issues/178 Upstream this leads to an ABORT under asan. $ xmllint --htmlout poc.24977 <html>..... <p>№........</p> <pre> error : xmlEncodeEntities: input not UTF-8 [...] </pre><p>poc.24977:64: <b>error</b>: Premature end of data in tag spec line 58 </p> <pre> te><day>&draft.day;</day><month>&draft.month;</month><year>&draft.year;</yџџŠ ^ </pre></body></html> This looks harmless, not very tidy, but may already be fixed. Updated the packages: - lib64xml2-devel-2.9.9-2.5.mga7.x86_64 - lib64xml2_2-2.9.9-2.5.mga7.x86_64 - libxml2-python-2.9.9-2.5.mga7.x86_64 - libxml2-python3-2.9.9-2.5.mga7.x86_64 - libxml2-utils-2.9.9-2.5.mga7.x86_64 The PoC produced exactly the same result as before, no ABORT. $ urpmq --whatrequires lib64xml2_2 | sort -u | wc -l 513 Ran rhythmbox for a while under strace. $ grep xml2 rbox.trace openat(AT_FDCWD, "/usr/lib64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib64/girepository-1.0/libxml2-2.0.typelib", O_RDONLY) = 15 $ urpmq --requires darktable | grep xml2 darktable: libxml2.so.2()(64bit) darktable: libxml2.so.2(LIBXML2_2.4.30)(64bit) darktable: libxml2.so.2(LIBXML2_2.6.0)(64bit) darktable: libxml2.so.2()(64bit) darktable: libxml2.so.2(LIBXML2_2.4.30)(64bit) darktable: libxml2.so.2(LIBXML2_2.6.0)(64bit) Ran darktable under strace. $ grep xml2 dark.trace openat(AT_FDCWD, "/lib64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = 3 This looks OK to be pushed.
Whiteboard: (none) => MGA7-64-OKCC: (none) => tarazed25
Validating. Advisory in Comment 5.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Advisory pushed to SVN.
CC: (none) => ouaurelienKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0002.html
Status: NEW => RESOLVEDResolution: (none) => FIXED