Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2020-24977

Published: 4 September 2020

GNOME project libxml2 v2.9.10 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has been fixed in commit 50f06b3e.

Notes

AuthorNote
mdeslaur
only affects xmllint
contrary to description, not fixed in 8e7c20a1
ccdm94
According to upstream, 50f06b3e is only a partial fix.
Commit bf22713507 must be included in order to achieve
a complete fix. Commit bf22713507, however, seems to
have introduced an issue (see 237), fixed by 1098c30a04,
which in turn seems to be the fix for CVE-2021-3518.

Priority

Low

Cvss 3 Severity Score

6.5

Score breakdown

Status

Package Release Status
libxml2
Launchpad, Ubuntu, Debian
upstream
Released (2.9.10+dfsg-6.2, 2.9.11)
hirsute Not vulnerable
(2.9.10+dfsg-6.3build2)
xenial
Released (2.9.3+dfsg1-1ubuntu0.7+esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
bionic
Released (2.9.4+dfsg1-6.1ubuntu1.4)
jammy Not vulnerable
(2.9.10+dfsg-6.3build2)
focal
Released (2.9.10+dfsg-5ubuntu0.20.04.1)
groovy
Released (2.9.10+dfsg-5ubuntu0.20.10.2)
impish Not vulnerable
(2.9.10+dfsg-6.3build2)
trusty
Released (2.9.1+dfsg1-3ubuntu4.13+esm2)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
Patches:
upstream: https://gitlab.gnome.org/GNOME/libxml2/-/commit/50f06b3efb638efb0abd95dc62dca05ae67882c2
upstream: https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2

Severity score breakdown

Parameter Value
Base score 6.5
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality Low
Integrity impact None
Availability impact Low
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L