Bug 1176179 (CVE-2020-24977) - VUL-1: CVE-2020-24977: libxml2: global Buffer Overflow vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c
Summary: VUL-1: CVE-2020-24977: libxml2: global Buffer Overflow vulnerability in xmlE...
Status: RESOLVED FIXED
Alias: CVE-2020-24977
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/266743/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-24977:5.3:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2020-09-04 15:58 UTC by Marcus Meissner
Modified: 2023-04-06 15:28 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2020-09-04 15:58:15 UTC
CVE-2020-24977

GNOME project libxml2 v2.9.10 and earlier have a global Buffer Overflow
vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has
been fixed in commit 8e7c20a1 (20910-GITv2.9.10-103-g8e7c20a1).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-24977
http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-24977.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24977
https://gitlab.gnome.org/GNOME/libxml2/-/issues/178
Comment 1 Pedro Monreal Gonzalez 2020-09-07 07:59:51 UTC
Upstream fix commit:
   https://gitlab.gnome.org/GNOME/libxml2/-/commit/50f06b3efb638efb0abd95dc62dca05ae67882c2
Comment 2 Pedro Monreal Gonzalez 2020-09-07 17:47:28 UTC
Factory submission: https://build.opensuse.org/request/show/832832
Comment 5 Swamp Workflow Management 2020-09-11 13:18:49 UTC
SUSE-SU-2020:2609-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1159928,1161517,1161521,1172021,1176179
CVE References: CVE-2019-19956,CVE-2019-20388,CVE-2020-24977,CVE-2020-7595
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    libxml2-2.9.4-46.34.1
SUSE Linux Enterprise Server 12-SP5 (src):    libxml2-2.9.4-46.34.1, python-libxml2-2.9.4-46.34.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2020-09-11 13:20:51 UTC
SUSE-SU-2020:2612-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1176179
CVE References: CVE-2020-24977
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Python2 15-SP2 (src):    python-libxml2-python-2.9.7-3.25.1
SUSE Linux Enterprise Module for Python2 15-SP1 (src):    python-libxml2-python-2.9.7-3.25.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    libxml2-2.9.7-3.25.1, python-libxml2-python-2.9.7-3.25.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    libxml2-2.9.7-3.25.1, python-libxml2-python-2.9.7-3.25.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2020-09-14 22:14:37 UTC
openSUSE-SU-2020:1430-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1176179
CVE References: CVE-2020-24977
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    libxml2-2.9.7-lp151.5.15.1, python-libxml2-python-2.9.7-lp151.5.15.1
Comment 8 Swamp Workflow Management 2020-09-19 16:22:58 UTC
openSUSE-SU-2020:1465-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1176179
CVE References: CVE-2020-24977
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    libxml2-2.9.7-lp152.10.3.1, python-libxml2-python-2.9.7-lp152.10.3.1
Comment 9 Wolfgang Frisch 2020-10-15 11:33:05 UTC
Released.
Comment 10 Swamp Workflow Management 2021-05-19 19:20:18 UTC
SUSE-SU-2021:14729-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 1159928,1161517,1161521,1176179,1185408,1185409,1185410,1185698
CVE References: CVE-2014-0191,CVE-2019-19956,CVE-2019-20388,CVE-2020-24977,CVE-2020-7595,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3537
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    libxml2-2.7.6-0.77.36.1, libxml2-python-2.7.6-0.77.36.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    libxml2-2.7.6-0.77.36.1, libxml2-python-2.7.6-0.77.36.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    libxml2-2.7.6-0.77.36.1, libxml2-python-2.7.6-0.77.36.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    libxml2-2.7.6-0.77.36.1, libxml2-python-2.7.6-0.77.36.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.