CVE-2020-24977

Bug #1895839 reported by Sylvain Rabot
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libxml2 (Debian)
Fix Released
Unknown
libxml2 (Ubuntu)
High
Unassigned
Hirsute
High
Unassigned

Bug Description

GNOME project libxml2 v2.9.10 and earlier have a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24977

Upstream patch:
https://gitlab.gnome.org/GNOME/libxml2/-/commit/50f06b3efb638efb0abd95dc62dca05ae67882c2

Bug report: https://gitlab.gnome.org/GNOME/libxml2/-/issues/178

CVE References

Alex Murray (alexmurray)
information type: Private Security → Public Security
description: updated
description: updated
Changed in libxml2 (Ubuntu):
status: New → Confirmed
Changed in libxml2 (Ubuntu):
importance: Undecided → High
Changed in libxml2 (Debian):
status: Unknown → Fix Released
Mattia Rizzolo (mapreri)
Changed in libxml2 (Ubuntu Hirsute):
status: Confirmed → Fix Released
Revision history for this message
Steve Beattie (sbeattie) wrote :

Please note that upstream has indicated that this issue only affects the xmllint binary, and not the shared library.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.