Bug 2262726 (CVE-2024-25062)
Summary: | CVE-2024-25062 libxml2: use-after-free in XMLReader | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Avinash Hanwate <ahanwate> |
Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
Status: | NEW --- | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aarif, agarcial, aoconnor, apatel, aprice, asegurap, bbuckingham, bcourt, bdettelb, btarraso, caswilli, csutherl, dfreiber, dhalasz, dkuc, drow, ehelms, fjansen, hkataria, hmatsumo, jburrell, jclere, jmitchel, jsamir, jsherril, jtanner, kaycoth, kgaikwad, kshier, lev.p, luizcosta, lzap, mhulan, mpierce, mturk, nmoumoul, nweather, omaciel, orabin, pcreech, pjindal, plodge, psegedy, rchan, saroy, stcannon, sthirugn, supatil, szappis, tpopela, trathi, tsasak, vkrizan, vkumar, vmugicag, yguenane |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | libxml2 2.11.7 and libxml2 2.12.5 | Doc Type: | If docs needed, set a value |
Doc Text: |
A use-after-free flaw was found in libxml2. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2270721, 2270724, 2270725, 2270726, 2270727, 2270730, 2270272, 2270273, 2270274, 2270275, 2270722, 2270728, 2270729 | ||
Bug Blocks: | 2262728 |
Description
Avinash Hanwate
2024-02-05 04:29:50 UTC
This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2024:1317 https://access.redhat.com/errata/RHSA-2024:1317 Nokogiri upgrades its dependency libxml2 as follows: Nokogiri v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6 Nokogiri v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4 References: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-vcc3-rw6f-jv97.yml Please note that rubygem-nokogiri is typically using system libxml2, therefore it should not be vulnerable: https://src.fedoraproject.org/rpms/rubygem-nokogiri/blob/bec33a2666c3a1af156b0802227ef5a65e2d007a/f/rubygem-nokogiri.spec#_118 (In reply to Vít Ondruch from comment #7) > Please note that rubygem-nokogiri is typically using system libxml2, > therefore it should not be vulnerable: > > https://src.fedoraproject.org/rpms/rubygem-nokogiri/blob/ > bec33a2666c3a1af156b0802227ef5a65e2d007a/f/rubygem-nokogiri.spec#_118 BTW the dependency can be seen like this: ~~~ rpm -qRp https://kojipkgs.fedoraproject.org//packages/rubygem-nokogiri/1.16.3/1.fc41/x86_64/rubygem-nokogiri-1.16.3-1.fc41.x86_64.rpm (rubygem(racc) >= 1.4 with rubygem(racc) < 2) /usr/bin/env /usr/bin/ruby libc.so.6()(64bit) libc.so.6(GLIBC_2.14)(64bit) libc.so.6(GLIBC_2.2.5)(64bit) libc.so.6(GLIBC_2.3.4)(64bit) libc.so.6(GLIBC_2.4)(64bit) libc.so.6(GLIBC_ABI_DT_RELR)(64bit) libexslt.so.0()(64bit) libruby.so.3.3()(64bit) libxml2.so.2()(64bit) libxml2.so.2(LIBXML2_2.4.30)(64bit) libxml2.so.2(LIBXML2_2.5.0)(64bit) libxml2.so.2(LIBXML2_2.5.2)(64bit) libxml2.so.2(LIBXML2_2.5.7)(64bit) libxml2.so.2(LIBXML2_2.5.8)(64bit) libxml2.so.2(LIBXML2_2.6.0)(64bit) libxml2.so.2(LIBXML2_2.6.12)(64bit) libxml2.so.2(LIBXML2_2.6.15)(64bit) libxml2.so.2(LIBXML2_2.6.2)(64bit) libxml2.so.2(LIBXML2_2.6.20)(64bit) libxml2.so.2(LIBXML2_2.6.21)(64bit) libxml2.so.2(LIBXML2_2.6.23)(64bit) libxml2.so.2(LIBXML2_2.6.24)(64bit) libxml2.so.2(LIBXML2_2.6.3)(64bit) libxml2.so.2(LIBXML2_2.6.8)(64bit) libxml2.so.2(LIBXML2_2.7.3)(64bit) libxslt.so.1()(64bit) libxslt.so.1(LIBXML2_1.0.11)(64bit) libxslt.so.1(LIBXML2_1.0.13)(64bit) libxslt.so.1(LIBXML2_1.0.18)(64bit) libxslt.so.1(LIBXML2_1.0.24)(64bit) rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(FileDigests) <= 4.6.0-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1 rpmlib(PayloadIsZstd) <= 5.4.18-1 rpmlib(RichDependencies) <= 4.12.0-1 rtld(GNU_HASH) ruby(rubygems) rubygem(racc) ~~~ And if the libxml2 was bundled, there should have been `bundled(libxml2)` provide. It seems that this methods are long forgotten by ProdSec, so I'd like to remind that it would be better if the trackers were not blindly filled all around. Created libxml2 tracking bugs for this issue: Affects: fedora-all [bug 2270722] Created mingw-libxml2 tracking bugs for this issue: Affects: fedora-all [bug 2270724] Created pcem tracking bugs for this issue: Affects: fedora-all [bug 2270725] Created qt5-qtwebengine tracking bugs for this issue: Affects: epel-all [bug 2270721] Affects: fedora-all [bug 2270726] Created qt6-qtwebengine tracking bugs for this issue: Affects: fedora-all [bug 2270727] Created rubygem-nokogiri tracking bugs for this issue: Affects: epel-all [bug 2270728] Affects: fedora-all [bug 2270729] (In reply to Vít Ondruch from comment #7) > Please note that rubygem-nokogiri is typically using system libxml2, > therefore it should not be vulnerable: > > https://src.fedoraproject.org/rpms/rubygem-nokogiri/blob/ > bec33a2666c3a1af156b0802227ef5a65e2d007a/f/rubygem-nokogiri.spec#_118 @btarraso / @trathi: Would you mind to update your tooling? Looks like it was fixed by the following commits: https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970884fcc13305cb8e23cdc5f0dd7667c2c https://gitlab.gnome.org/GNOME/libxml2/-/commit/2b0aac140d739905c7848a42efc60bfe783a39b7 https://gitlab.gnome.org/GNOME/libxml2/-/commit/1a66b176055d25ee635bf328c7b35b381db0b71d This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2679 https://access.redhat.com/errata/RHSA-2024:2679 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:3299 https://access.redhat.com/errata/RHSA-2024:3299 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:3303 https://access.redhat.com/errata/RHSA-2024:3303 |