Bug 2185984 (CVE-2023-29469)

Summary: CVE-2023-29469 libxml2: Hashing of empty dict strings isn't deterministic
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adudiak, akarol, amackenz, amasferr, aoconnor, bbuckingham, bcourt, bdettelb, caswilli, chazlett, csutherl, dffrench, dhalasz, dking, dkuc, dmetzger, ehelms, fjansen, gmccullo, gtanzill, gzaronik, hbraun, hkataria, ikanias, jary, jburrell, jclere, jhardy, jmitchel, jsherril, jtanner, kaycoth, kshier, lzap, mhulan, micjohns, mkudlej, mturk, myarboro, ngough, nmoumoul, nweather, oezr, ohudlick, orabin, pcreech, peholase, pjindal, plodge, psegedy, rchan, rgodfrey, rh-spice-bugs, roliveri, rravi, simaishi, smallamp, stcannon, sthirugn, szappis, tcarlin, tjochec, tkasparek, tohughes, tsasak, veillard, vkrizan, vmugicag, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libxml2 2.10.4 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in libxml2. This issue occurs when hashing empty strings which aren't null-terminated, xmlDictComputeFastKey could produce inconsistent results, which may lead to various logic or memory errors, including double free errors.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2185986, 2185987, 2185988, 2185989, 2185990, 2185992, 2186692, 2186694, 2185985, 2185991, 2186691, 2186693, 2186696    
Bug Blocks: 2186003    

Description Pedro Sampaio 2023-04-11 19:13:48 UTC 
When hashing empty strings which aren't null-terminated, xmlDictComputeFastKey could produce inconsistent results. This could lead to various logic or memory errors, including double frees.

References:

https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.4
https://gitlab.gnome.org/GNOME/libxml2/-/commit/09a2dd453007f9c7205274623acdd73747c22d64
Comment 1 Pedro Sampaio 2023-04-11 19:14:08 UTC 
Created libxml2 tracking bugs for this issue:

Affects: fedora-all [bug 2185985]
Comment 2 Pedro Sampaio 2023-04-11 19:18:41 UTC 
Created mingw-libxml2 tracking bugs for this issue:

Affects: fedora-all [bug 2185987]


Created pcem tracking bugs for this issue:

Affects: fedora-all [bug 2185988]


Created qt5-qtwebengine tracking bugs for this issue:

Affects: epel-all [bug 2185986]
Affects: fedora-all [bug 2185989]


Created qt6-qtwebengine tracking bugs for this issue:

Affects: fedora-all [bug 2185990]


Created rubygem-nokogiri tracking bugs for this issue:

Affects: epel-all [bug 2185992]
Affects: fedora-all [bug 2185991]
Comment 3 Vít Ondruch 2023-04-12 07:58:06 UTC 
@Pedro I wonder how the list of affected libraries is compiled? I understand that rubygem-nokogiri might bundle libxml2, but that is not the case. It is very unfortunate, that ProdSec recently started to file these false positives trackers. Unfortunately, OTOH, we don't have trackers which really affects some components (e.g. CVE-2023-28755, CVE-2023-28756).
Comment 7 Pedro Sampaio 2023-04-14 21:02:25 UTC 
(In reply to Vít Ondruch from comment #3)
> @Pedro I wonder how the list of affected libraries is compiled? I understand
> that rubygem-nokogiri might bundle libxml2, but that is not the case. It is
> very unfortunate, that ProdSec recently started to file these false
> positives trackers. Unfortunately, OTOH, we don't have trackers which really
> affects some components (e.g. CVE-2023-28755, CVE-2023-28756).

The list is compiled from information in the report combined with the data in our package manifests. We have to rely on the information from the report for the initial assessment and bug filling. That's why sometimes we'll put in the affects list, packages that might not be affected. Unfortunately we have to delegate some of the affect checking to other Teams.
Comment 8 Vít Ondruch 2023-04-17 10:17:26 UTC 
(In reply to Pedro Sampaio from comment #7)
> (In reply to Vít Ondruch from comment #3)
> > @Pedro I wonder how the list of affected libraries is compiled? I understand
> > that rubygem-nokogiri might bundle libxml2, but that is not the case. It is
> > very unfortunate, that ProdSec recently started to file these false
> > positives trackers. Unfortunately, OTOH, we don't have trackers which really
> > affects some components (e.g. CVE-2023-28755, CVE-2023-28756).
> 
> The list is compiled from information in the report combined with the data
> in our package manifests. We have to rely on the information from the report
> for the initial assessment and bug filling. That's why sometimes we'll put
> in the affects list, packages that might not be affected. Unfortunately we
> have to delegate some of the affect checking to other Teams.

So could you please update your package manifests and mark there that rubygem-nokogiri does not bundle libxml2, so we don't need to have this discussion again?

BTW if rubygem-nokogiri bundled libxml2, there would be `bundled(libxml2)` provide which:

1) is still mandatory in Fedora AFAIK [1]
2) is not there.



[1] https://docs.fedoraproject.org/en-US/packaging-guidelines/#bundling
Comment 9 Pedro Sampaio 2023-04-28 11:24:42 UTC 
(In reply to Vít Ondruch from comment #8)
> (In reply to Pedro Sampaio from comment #7)
> > (In reply to Vít Ondruch from comment #3)
> > > @Pedro I wonder how the list of affected libraries is compiled? I understand
> > > that rubygem-nokogiri might bundle libxml2, but that is not the case. It is
> > > very unfortunate, that ProdSec recently started to file these false
> > > positives trackers. Unfortunately, OTOH, we don't have trackers which really
> > > affects some components (e.g. CVE-2023-28755, CVE-2023-28756).
> > 
> > The list is compiled from information in the report combined with the data
> > in our package manifests. We have to rely on the information from the report
> > for the initial assessment and bug filling. That's why sometimes we'll put
> > in the affects list, packages that might not be affected. Unfortunately we
> > have to delegate some of the affect checking to other Teams.
> 
> So could you please update your package manifests and mark there that
> rubygem-nokogiri does not bundle libxml2, so we don't need to have this
> discussion again?
> 
> BTW if rubygem-nokogiri bundled libxml2, there would be `bundled(libxml2)`
> provide which:
> 
> 1) is still mandatory in Fedora AFAIK [1]
> 2) is not there.
> 
> 
> 
> [1] https://docs.fedoraproject.org/en-US/packaging-guidelines/#bundling

Thank you for the info. I'll update de manifests.
Comment 15 errata-xmlrpc 2023-08-01 08:49:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:4349 https://access.redhat.com/errata/RHSA-2023:4349
Comment 17 errata-xmlrpc 2023-08-08 08:19:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:4529 https://access.redhat.com/errata/RHSA-2023:4529
Comment 18 errata-xmlrpc 2023-08-15 17:37:15 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2023:4628 https://access.redhat.com/errata/RHSA-2023:4628