Ubuntu
libxml2 package

CVE-2020-24977

Bug #1895839 reported by Sylvain Rabot on 2020-09-16

256

This bug affects 1 person

	Status	Importance	Assigned to
libxml2 (Debian)	Fix Released	Unknown	debbugs #969529
libxml2 (Ubuntu)	Fix Released	High	Unassigned
Hirsute	Fix Released	High	Unassigned

Bug Description

GNOME project libxml2 v2.9.10 and earlier have a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24977

Upstream patch:
https://gitlab.gnome.org/GNOME/libxml2/-/commit/50f06b3efb638efb0abd95dc62dca05ae67882c2

Bug report: https://gitlab.gnome.org/GNOME/libxml2/-/issues/178

See original description

CVE References

2020-24977

Alex Murray (alexmurray) on 2020-09-17

information type:

Private Security → Public Security

Avital Ostromich (avital) on 2020-09-23

description:

updated

Avital Ostromich (avital) on 2020-09-23

description:

updated

Eduardo Barretto (ebarretto) on 2020-10-21

Changed in libxml2 (Ubuntu):
status:	New → Confirmed

Sebastien Bacher (seb128) on 2020-10-22

Changed in libxml2 (Ubuntu):
importance:	Undecided → High

Bug Watch Updater (bug-watch-updater) on 2021-02-25

Changed in libxml2 (Debian):
status:	Unknown → Fix Released

Mattia Rizzolo (mapreri) on 2021-02-25

Changed in libxml2 (Ubuntu Hirsute):
status:	Confirmed → Fix Released

Revision history for this message

Steve Beattie (sbeattie) wrote on 2021-04-12:

Please note that upstream has indicated that this issue only affects the xmllint binary, and not the shared library.

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

debbugs #969529
[done important fixed-upstream security patch upstream] Edit

Bug watches keep track of this bug in other bug trackers.

Ubuntulibxml2 package