GNOME project libxml2 v2.9.10 and earlier have a global Buffer Overflow vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has been fixed in commit 8e7c20a1 (20910-GITv2.9.10-103-g8e7c20a1). References: https://gitlab.gnome.org/GNOME/libxml2/-/issues/178 https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html
Created mingw-libxml2 tracking bugs for this issue: Affects: fedora-all [bug 1877789]
I've done the Fedora and Fedora mingw-libxml2 packages. No bug was created to track Fedora. libxml2 f33 https://bodhi.fedoraproject.org/updates/FEDORA-2020-dd2fc19b78 f32 https://bodhi.fedoraproject.org/updates/FEDORA-2020-35087800be f31 https://bodhi.fedoraproject.org/updates/FEDORA-2020-20ab468a33 mingw-libxml2 f33 https://bodhi.fedoraproject.org/updates/FEDORA-2020-be489044df f32 https://bodhi.fedoraproject.org/updates/FEDORA-2020-b60dbdd538 f31 https://bodhi.fedoraproject.org/updates/FEDORA-2020-7dd29dacad
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
(In reply to Richard W.M. Jones from comment #5) > I've done the Fedora and Fedora mingw-libxml2 packages. No bug was created > to track Fedora. > > libxml2 > f33 https://bodhi.fedoraproject.org/updates/FEDORA-2020-dd2fc19b78 > f32 https://bodhi.fedoraproject.org/updates/FEDORA-2020-35087800be > f31 https://bodhi.fedoraproject.org/updates/FEDORA-2020-20ab468a33 > > mingw-libxml2 > f33 https://bodhi.fedoraproject.org/updates/FEDORA-2020-be489044df > f32 https://bodhi.fedoraproject.org/updates/FEDORA-2020-b60dbdd538 > f31 https://bodhi.fedoraproject.org/updates/FEDORA-2020-7dd29dacad So I managed to apply the wrong fix for this. Luckily the Arch maintainer who is using Fedora patches noticed this. https://bugs.archlinux.org/task/68510 Additional fixes coming up.
libxml2 f34 https://koji.fedoraproject.org/koji/taskinfo?taskID=55387118 f33 https://bodhi.fedoraproject.org/updates/FEDORA-2020-935f62c3d9 f32 https://bodhi.fedoraproject.org/updates/FEDORA-2020-b6aaf25741 mingw-libxml2 f34 https://koji.fedoraproject.org/koji/taskinfo?taskID=55387386 f33 https://bodhi.fedoraproject.org/updates/FEDORA-2020-ff317550e4 f32 https://bodhi.fedoraproject.org/updates/FEDORA-2020-7773c53bc8
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1597 https://access.redhat.com/errata/RHSA-2021:1597
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-24977