Bug 1877788 (CVE-2020-24977)

Summary: CVE-2020-24977 libxml2: Buffer overflow vulnerability in xmlEncodeEntitiesInternal() in entities.c
Product: [Other] Security Response Reporter: Michael Kaplan <mkaplan>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: cbyrne, cmoore, crarobin, csutherl, dking, erik-fedora, gmccullo, gzaronik, jclere, jmadigan, jwon, kaycoth, krathod, lnacshon, mbabacek, mturk, ngough, ohudlick, pjindal, rh-spice-bugs, rjones, scorneli, veillard
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 20:36:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1890083, 1877789, 1878251, 1878252, 1878253, 1879080    
Bug Blocks: 1877792    

Description Michael Kaplan 2020-09-10 12:52:45 UTC
GNOME project libxml2 v2.9.10 and earlier have a global Buffer Overflow vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has been fixed in commit 8e7c20a1 (20910-GITv2.9.10-103-g8e7c20a1).

References:

https://gitlab.gnome.org/GNOME/libxml2/-/issues/178
https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html

Comment 1 Michael Kaplan 2020-09-10 12:53:13 UTC
Created mingw-libxml2 tracking bugs for this issue:

Affects: fedora-all [bug 1877789]

Comment 8 Todd Cullum 2020-09-11 17:38:11 UTC
Mitigation:

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Comment 12 Richard W.M. Jones 2020-11-11 13:30:24 UTC
(In reply to Richard W.M. Jones from comment #5)
> I've done the Fedora and Fedora mingw-libxml2 packages.  No bug was created
> to track Fedora.
> 
> libxml2
> f33 https://bodhi.fedoraproject.org/updates/FEDORA-2020-dd2fc19b78
> f32 https://bodhi.fedoraproject.org/updates/FEDORA-2020-35087800be
> f31 https://bodhi.fedoraproject.org/updates/FEDORA-2020-20ab468a33
> 
> mingw-libxml2
> f33 https://bodhi.fedoraproject.org/updates/FEDORA-2020-be489044df
> f32 https://bodhi.fedoraproject.org/updates/FEDORA-2020-b60dbdd538
> f31 https://bodhi.fedoraproject.org/updates/FEDORA-2020-7dd29dacad

So I managed to apply the wrong fix for this.  Luckily
the Arch maintainer who is using Fedora patches noticed
this.

https://bugs.archlinux.org/task/68510

Additional fixes coming up.

Comment 15 errata-xmlrpc 2021-05-18 13:33:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1597 https://access.redhat.com/errata/RHSA-2021:1597

Comment 16 Product Security DevOps Team 2021-05-18 20:36:08 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-24977