Hello community, here is the log from the commit of package libxml2 for openSUSE:Factory checked in at 2020-09-10 22:45:28 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libxml2 (Old) and /work/SRC/openSUSE:Factory/.libxml2.new.4249 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libxml2" Thu Sep 10 22:45:28 2020 rev:99 rq:832832 version:2.9.10 Changes: -------- --- /work/SRC/openSUSE:Factory/libxml2/libxml2.changes 2020-06-11 14:38:27.400219318 +0200 +++ /work/SRC/openSUSE:Factory/.libxml2.new.4249/libxml2.changes 2020-09-10 22:45:34.363687118 +0200 @@ -1,0 +2,7 @@ +Mon Sep 7 08:12:29 UTC 2020 - Pedro Monreal <pmonr...@suse.com> + +- Security fix: [bsc#1176179, CVE-2020-24977] + * xmllint: global-buffer-overflow in xmlEncodeEntitiesInternal +- Add patch libxml2-CVE-2020-24977.patch + +------------------------------------------------------------------- New: ---- libxml2-CVE-2020-24977.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libxml2.spec ++++++ --- /var/tmp/diff_new_pack.YckBWg/_old 2020-09-10 22:45:35.399688073 +0200 +++ /var/tmp/diff_new_pack.YckBWg/_new 2020-09-10 22:45:35.403688076 +0200 @@ -53,6 +53,8 @@ Patch5: libxml2-CVE-2020-7595.patch # PATCH-FIX-UPSTREAM bsc#1159928 CVE-2019-19956 Revert usptream commit Patch6: libxml2-CVE-2019-19956.patch +# PATCH-FIX-UPSTREAM bsc#1176179 CVE-2020-24977 xmllint: global-buffer-overflow in xmlEncodeEntitiesInternal +Patch7: libxml2-CVE-2020-24977.patch BuildRequires: fdupes BuildRequires: pkgconfig %if !%{with python} @@ -175,6 +177,7 @@ %patch4 -p1 -R %patch5 -p1 %patch6 -p1 -R +%patch7 -p1 %build %if !%{with python} ++++++ libxml2-CVE-2020-24977.patch ++++++ >From 50f06b3efb638efb0abd95dc62dca05ae67882c2 Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer <wellnho...@aevum.de> Date: Fri, 7 Aug 2020 21:54:27 +0200 Subject: [PATCH] Fix out-of-bounds read with 'xmllint --htmlout' Make sure that truncated UTF-8 sequences don't cause an out-of-bounds array access. Thanks to @SuhwanSong and the Agency for Defense Development (ADD) for the report. Fixes #178. --- xmllint.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/xmllint.c b/xmllint.c index f6a8e4636..c647486f3 100644 --- a/xmllint.c +++ b/xmllint.c @@ -528,6 +528,12 @@ static void xmlHTMLEncodeSend(void) { char *result; + /* + * xmlEncodeEntitiesReentrant assumes valid UTF-8, but the buffer might + * end with a truncated UTF-8 sequence. This is a hack to at least avoid + * an out-of-bounds read. + */ + memset(&buffer[sizeof(buffer)-4], 0, 4); result = (char *) xmlEncodeEntitiesReentrant(NULL, BAD_CAST buffer); if (result) { xmlGenericError(xmlGenericErrorContext, "%s", result); -- GitLab