An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free. https://gitlab.gnome.org/GNOME/libxml2/-/issues/604 https://gitlab.gnome.org/GNOME/libxml2/-/tags
This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2024:1317 https://access.redhat.com/errata/RHSA-2024:1317
Nokogiri upgrades its dependency libxml2 as follows: Nokogiri v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6 Nokogiri v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4 References: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-vcc3-rw6f-jv97.yml
Please note that rubygem-nokogiri is typically using system libxml2, therefore it should not be vulnerable: https://src.fedoraproject.org/rpms/rubygem-nokogiri/blob/bec33a2666c3a1af156b0802227ef5a65e2d007a/f/rubygem-nokogiri.spec#_118
(In reply to Vít Ondruch from comment #7) > Please note that rubygem-nokogiri is typically using system libxml2, > therefore it should not be vulnerable: > > https://src.fedoraproject.org/rpms/rubygem-nokogiri/blob/ > bec33a2666c3a1af156b0802227ef5a65e2d007a/f/rubygem-nokogiri.spec#_118 BTW the dependency can be seen like this: ~~~ rpm -qRp https://kojipkgs.fedoraproject.org//packages/rubygem-nokogiri/1.16.3/1.fc41/x86_64/rubygem-nokogiri-1.16.3-1.fc41.x86_64.rpm (rubygem(racc) >= 1.4 with rubygem(racc) < 2) /usr/bin/env /usr/bin/ruby libc.so.6()(64bit) libc.so.6(GLIBC_2.14)(64bit) libc.so.6(GLIBC_2.2.5)(64bit) libc.so.6(GLIBC_2.3.4)(64bit) libc.so.6(GLIBC_2.4)(64bit) libc.so.6(GLIBC_ABI_DT_RELR)(64bit) libexslt.so.0()(64bit) libruby.so.3.3()(64bit) libxml2.so.2()(64bit) libxml2.so.2(LIBXML2_2.4.30)(64bit) libxml2.so.2(LIBXML2_2.5.0)(64bit) libxml2.so.2(LIBXML2_2.5.2)(64bit) libxml2.so.2(LIBXML2_2.5.7)(64bit) libxml2.so.2(LIBXML2_2.5.8)(64bit) libxml2.so.2(LIBXML2_2.6.0)(64bit) libxml2.so.2(LIBXML2_2.6.12)(64bit) libxml2.so.2(LIBXML2_2.6.15)(64bit) libxml2.so.2(LIBXML2_2.6.2)(64bit) libxml2.so.2(LIBXML2_2.6.20)(64bit) libxml2.so.2(LIBXML2_2.6.21)(64bit) libxml2.so.2(LIBXML2_2.6.23)(64bit) libxml2.so.2(LIBXML2_2.6.24)(64bit) libxml2.so.2(LIBXML2_2.6.3)(64bit) libxml2.so.2(LIBXML2_2.6.8)(64bit) libxml2.so.2(LIBXML2_2.7.3)(64bit) libxslt.so.1()(64bit) libxslt.so.1(LIBXML2_1.0.11)(64bit) libxslt.so.1(LIBXML2_1.0.13)(64bit) libxslt.so.1(LIBXML2_1.0.18)(64bit) libxslt.so.1(LIBXML2_1.0.24)(64bit) rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(FileDigests) <= 4.6.0-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1 rpmlib(PayloadIsZstd) <= 5.4.18-1 rpmlib(RichDependencies) <= 4.12.0-1 rtld(GNU_HASH) ruby(rubygems) rubygem(racc) ~~~ And if the libxml2 was bundled, there should have been `bundled(libxml2)` provide. It seems that this methods are long forgotten by ProdSec, so I'd like to remind that it would be better if the trackers were not blindly filled all around.
Created libxml2 tracking bugs for this issue: Affects: fedora-all [bug 2270722] Created mingw-libxml2 tracking bugs for this issue: Affects: fedora-all [bug 2270724] Created pcem tracking bugs for this issue: Affects: fedora-all [bug 2270725] Created qt5-qtwebengine tracking bugs for this issue: Affects: epel-all [bug 2270721] Affects: fedora-all [bug 2270726] Created qt6-qtwebengine tracking bugs for this issue: Affects: fedora-all [bug 2270727] Created rubygem-nokogiri tracking bugs for this issue: Affects: epel-all [bug 2270728] Affects: fedora-all [bug 2270729]
(In reply to Vít Ondruch from comment #7) > Please note that rubygem-nokogiri is typically using system libxml2, > therefore it should not be vulnerable: > > https://src.fedoraproject.org/rpms/rubygem-nokogiri/blob/ > bec33a2666c3a1af156b0802227ef5a65e2d007a/f/rubygem-nokogiri.spec#_118 @btarraso / @trathi: Would you mind to update your tooling?
Looks like it was fixed by the following commits: https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970884fcc13305cb8e23cdc5f0dd7667c2c https://gitlab.gnome.org/GNOME/libxml2/-/commit/2b0aac140d739905c7848a42efc60bfe783a39b7 https://gitlab.gnome.org/GNOME/libxml2/-/commit/1a66b176055d25ee635bf328c7b35b381db0b71d
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2679 https://access.redhat.com/errata/RHSA-2024:2679
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:3299 https://access.redhat.com/errata/RHSA-2024:3299
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:3303 https://access.redhat.com/errata/RHSA-2024:3303
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:3625 https://access.redhat.com/errata/RHSA-2024:3625
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:3626 https://access.redhat.com/errata/RHSA-2024:3626