Bug 2082158 (CVE-2022-29824)

Summary: CVE-2022-29824 libxml2: integer overflows in xmlBuf and xmlBuffer lead to out-of-bounds write
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aos-bugs, bdettelb, caswilli, csutherl, dhalasz, dking, dkuc, erik-fedora, fjansen, gzaronik, igor.raits, jburrell, jclere, jkoehler, jplesnik, jwong, jwon, kaycoth, kde-sig, kevin, krathod, ktietz, kyoshida, micjohns, mturk, ohudlick, pjindal, psegedy, rdieter, rfreiman, rh-spice-bugs, rjones, sthirugn, szappis, tcarlin, tfister, tkasparek, tmeszaro, tsasak, veillard, vkrizan, vkumar, vmugicag
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libxml2 2.9.14 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the libxml2 library in functions used to manipulate the xmlBuf and the xmlBuffer types. A substantial input causes values to calculate buffer sizes to overflow, resulting in an out-of-bounds write.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-07-01 10:42:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2082278, 2082321, 2082277, 2082279, 2082280, 2082281, 2082296, 2082297, 2082298, 2082299, 2082300, 2082301, 2082320    
Bug Blocks: 2082160    

Description Patrick Del Bello 2022-05-05 13:56:19 UTC 
In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.

https://gitlab.gnome.org/GNOME/libxml2/-/tags/v2.9.14
https://gitlab.gnome.org/GNOME/libxml2/-/commit/6c283d83eccd940bcde15634ac8c7f100e3caefd
https://gitlab.gnome.org/GNOME/libxslt/-/tags
https://gitlab.gnome.org/GNOME/libxml2/-/commit/2554a2408e09f13652049e5ffb0d26196b02ebab
Comment 2 Guilherme de Almeida Suckevicz 2022-05-05 18:00:45 UTC 
Created libxml2 tracking bugs for this issue:

Affects: fedora-all [bug 2082277]


Created mingw-libxml2 tracking bugs for this issue:

Affects: fedora-all [bug 2082279]


Created perl-Alien-Libxml2 tracking bugs for this issue:

Affects: fedora-all [bug 2082280]


Created qt5-qtwebengine tracking bugs for this issue:

Affects: epel-all [bug 2082278]
Affects: fedora-all [bug 2082281]
Comment 8 errata-xmlrpc 2022-06-28 14:59:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:5250 https://access.redhat.com/errata/RHSA-2022:5250
Comment 9 errata-xmlrpc 2022-06-28 18:32:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5317 https://access.redhat.com/errata/RHSA-2022:5317
Comment 10 Product Security DevOps Team 2022-07-01 10:42:39 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-29824
Comment 11 errata-xmlrpc 2023-01-18 11:23:17 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2022:8841 https://access.redhat.com/errata/RHSA-2022:8841