Bug 2262726 (CVE-2024-25062)

Summary: CVE-2024-25062 libxml2: use-after-free in XMLReader
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aarif, agarcial, aoconnor, apatel, aprice, asegurap, bbuckingham, bcourt, bdettelb, btarraso, caswilli, csutherl, dfreiber, dhalasz, dkuc, drow, ehelms, fjansen, hkataria, hmatsumo, jburrell, jclere, jmitchel, jsamir, jsherril, jtanner, kaycoth, kgaikwad, kshier, lev.p, luizcosta, lzap, mhulan, mpierce, mturk, nmoumoul, nweather, omaciel, orabin, pcreech, pjindal, plodge, psegedy, rchan, saroy, stcannon, sthirugn, supatil, szappis, tpopela, trathi, tsasak, vkrizan, vkumar, vmugicag, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libxml2 2.11.7 and libxml2 2.12.5 Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in libxml2. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2270721, 2270724, 2270725, 2270726, 2270727, 2270730, 2270272, 2270273, 2270274, 2270275, 2270722, 2270728, 2270729    
Bug Blocks: 2262728    

Description Avinash Hanwate 2024-02-05 04:29:50 UTC 
An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.

https://gitlab.gnome.org/GNOME/libxml2/-/issues/604
https://gitlab.gnome.org/GNOME/libxml2/-/tags
Comment 4 errata-xmlrpc 2024-03-18 16:22:28 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2024:1317 https://access.redhat.com/errata/RHSA-2024:1317
Comment 6 TEJ RATHI 2024-03-19 11:14:03 UTC 
Nokogiri upgrades its dependency libxml2 as follows:

    Nokogiri v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6
    Nokogiri v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4

References:

https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-vcc3-rw6f-jv97.yml
Comment 7 Vít Ondruch 2024-03-19 11:52:48 UTC 
Please note that rubygem-nokogiri is typically using system libxml2, therefore it should not be vulnerable:

https://src.fedoraproject.org/rpms/rubygem-nokogiri/blob/bec33a2666c3a1af156b0802227ef5a65e2d007a/f/rubygem-nokogiri.spec#_118
Comment 8 Vít Ondruch 2024-03-19 12:01:30 UTC 
(In reply to Vít Ondruch from comment #7)
> Please note that rubygem-nokogiri is typically using system libxml2,
> therefore it should not be vulnerable:
> 
> https://src.fedoraproject.org/rpms/rubygem-nokogiri/blob/
> bec33a2666c3a1af156b0802227ef5a65e2d007a/f/rubygem-nokogiri.spec#_118

BTW the dependency can be seen like this:

~~~
 rpm -qRp https://kojipkgs.fedoraproject.org//packages/rubygem-nokogiri/1.16.3/1.fc41/x86_64/rubygem-nokogiri-1.16.3-1.fc41.x86_64.rpm
(rubygem(racc) >= 1.4 with rubygem(racc) < 2)
/usr/bin/env
/usr/bin/ruby
libc.so.6()(64bit)
libc.so.6(GLIBC_2.14)(64bit)
libc.so.6(GLIBC_2.2.5)(64bit)
libc.so.6(GLIBC_2.3.4)(64bit)
libc.so.6(GLIBC_2.4)(64bit)
libc.so.6(GLIBC_ABI_DT_RELR)(64bit)
libexslt.so.0()(64bit)
libruby.so.3.3()(64bit)
libxml2.so.2()(64bit)
libxml2.so.2(LIBXML2_2.4.30)(64bit)
libxml2.so.2(LIBXML2_2.5.0)(64bit)
libxml2.so.2(LIBXML2_2.5.2)(64bit)
libxml2.so.2(LIBXML2_2.5.7)(64bit)
libxml2.so.2(LIBXML2_2.5.8)(64bit)
libxml2.so.2(LIBXML2_2.6.0)(64bit)
libxml2.so.2(LIBXML2_2.6.12)(64bit)
libxml2.so.2(LIBXML2_2.6.15)(64bit)
libxml2.so.2(LIBXML2_2.6.2)(64bit)
libxml2.so.2(LIBXML2_2.6.20)(64bit)
libxml2.so.2(LIBXML2_2.6.21)(64bit)
libxml2.so.2(LIBXML2_2.6.23)(64bit)
libxml2.so.2(LIBXML2_2.6.24)(64bit)
libxml2.so.2(LIBXML2_2.6.3)(64bit)
libxml2.so.2(LIBXML2_2.6.8)(64bit)
libxml2.so.2(LIBXML2_2.7.3)(64bit)
libxslt.so.1()(64bit)
libxslt.so.1(LIBXML2_1.0.11)(64bit)
libxslt.so.1(LIBXML2_1.0.13)(64bit)
libxslt.so.1(LIBXML2_1.0.18)(64bit)
libxslt.so.1(LIBXML2_1.0.24)(64bit)
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(FileDigests) <= 4.6.0-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(PayloadIsZstd) <= 5.4.18-1
rpmlib(RichDependencies) <= 4.12.0-1
rtld(GNU_HASH)
ruby(rubygems)
rubygem(racc)
~~~

And if the libxml2 was bundled, there should have been `bundled(libxml2)` provide.

It seems that this methods are long forgotten by ProdSec, so I'd like to remind that it would be better if the trackers were not blindly filled all around.
Comment 9 Borja Tarraso 2024-03-21 15:03:59 UTC 
Created libxml2 tracking bugs for this issue:

Affects: fedora-all [bug 2270722]


Created mingw-libxml2 tracking bugs for this issue:

Affects: fedora-all [bug 2270724]


Created pcem tracking bugs for this issue:

Affects: fedora-all [bug 2270725]


Created qt5-qtwebengine tracking bugs for this issue:

Affects: epel-all [bug 2270721]
Affects: fedora-all [bug 2270726]


Created qt6-qtwebengine tracking bugs for this issue:

Affects: fedora-all [bug 2270727]


Created rubygem-nokogiri tracking bugs for this issue:

Affects: epel-all [bug 2270728]
Affects: fedora-all [bug 2270729]
Comment 11 Vít Ondruch 2024-03-22 09:18:29 UTC 
(In reply to Vít Ondruch from comment #7)
> Please note that rubygem-nokogiri is typically using system libxml2,
> therefore it should not be vulnerable:
> 
> https://src.fedoraproject.org/rpms/rubygem-nokogiri/blob/
> bec33a2666c3a1af156b0802227ef5a65e2d007a/f/rubygem-nokogiri.spec#_118

@btarraso / @trathi: Would you mind to update your tooling?
Comment 15 Lev Pachmanov 2024-04-16 09:32:37 UTC 
Looks like it was fixed by the following commits:
https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970884fcc13305cb8e23cdc5f0dd7667c2c
https://gitlab.gnome.org/GNOME/libxml2/-/commit/2b0aac140d739905c7848a42efc60bfe783a39b7
https://gitlab.gnome.org/GNOME/libxml2/-/commit/1a66b176055d25ee635bf328c7b35b381db0b71d
Comment 18 errata-xmlrpc 2024-05-02 14:47:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2679 https://access.redhat.com/errata/RHSA-2024:2679
Comment 19 errata-xmlrpc 2024-05-22 21:50:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:3299 https://access.redhat.com/errata/RHSA-2024:3299
Comment 20 errata-xmlrpc 2024-05-23 06:23:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:3303 https://access.redhat.com/errata/RHSA-2024:3303