Bug 2262726 (CVE-2024-25062) - CVE-2024-25062 libxml2: use-after-free in XMLReader
Summary: CVE-2024-25062 libxml2: use-after-free in XMLReader
Keywords:
Status: NEW
Alias: CVE-2024-25062
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2270721 2270724 2270725 2270726 2270727 2270730 2270272 2270273 2270274 2270275 2270722 2270728 2270729
Blocks: 2262728
TreeView+ depends on / blocked
 
Reported: 2024-02-05 04:29 UTC by Avinash Hanwate
Modified: 2024-05-09 19:22 UTC (History)
56 users (show)

Fixed In Version: libxml2 2.11.7 and libxml2 2.12.5
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in libxml2. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:2683 0 None None None 2024-05-02 20:20:29 UTC
Red Hat Product Errata RHBA-2024:2685 0 None None None 2024-05-02 22:27:35 UTC
Red Hat Product Errata RHBA-2024:2687 0 None None None 2024-05-02 23:16:04 UTC
Red Hat Product Errata RHBA-2024:2688 0 None None None 2024-05-02 23:18:49 UTC
Red Hat Product Errata RHBA-2024:2689 0 None None None 2024-05-02 23:30:10 UTC
Red Hat Product Errata RHBA-2024:2690 0 None None None 2024-05-02 23:30:34 UTC
Red Hat Product Errata RHBA-2024:2691 0 None None None 2024-05-02 23:33:22 UTC
Red Hat Product Errata RHBA-2024:2692 0 None None None 2024-05-02 23:34:09 UTC
Red Hat Product Errata RHBA-2024:2698 0 None None None 2024-05-06 01:09:10 UTC
Red Hat Product Errata RHBA-2024:2701 0 None None None 2024-05-06 07:51:09 UTC
Red Hat Product Errata RHBA-2024:2706 0 None None None 2024-05-06 14:15:26 UTC
Red Hat Product Errata RHBA-2024:2708 0 None None None 2024-05-06 14:19:20 UTC
Red Hat Product Errata RHBA-2024:2709 0 None None None 2024-05-06 14:24:15 UTC
Red Hat Product Errata RHBA-2024:2711 0 None None None 2024-05-06 14:31:45 UTC
Red Hat Product Errata RHBA-2024:2712 0 None None None 2024-05-06 14:35:25 UTC
Red Hat Product Errata RHBA-2024:2717 0 None None None 2024-05-06 21:51:19 UTC
Red Hat Product Errata RHBA-2024:2725 0 None None None 2024-05-07 10:25:22 UTC
Red Hat Product Errata RHBA-2024:2726 0 None None None 2024-05-07 10:55:11 UTC
Red Hat Product Errata RHBA-2024:2747 0 None None None 2024-05-07 14:42:16 UTC
Red Hat Product Errata RHBA-2024:2760 0 None None None 2024-05-08 14:12:40 UTC
Red Hat Product Errata RHBA-2024:2785 0 None None None 2024-05-09 07:53:40 UTC
Red Hat Product Errata RHBA-2024:2801 0 None None None 2024-05-09 17:59:31 UTC
Red Hat Product Errata RHBA-2024:2810 0 None None None 2024-05-09 19:22:31 UTC
Red Hat Product Errata RHSA-2024:1317 0 None None None 2024-03-18 16:22:32 UTC
Red Hat Product Errata RHSA-2024:2679 0 None None None 2024-05-02 14:47:22 UTC

Description Avinash Hanwate 2024-02-05 04:29:50 UTC 
An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.

https://gitlab.gnome.org/GNOME/libxml2/-/issues/604
https://gitlab.gnome.org/GNOME/libxml2/-/tags
Comment 4 errata-xmlrpc 2024-03-18 16:22:28 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2024:1317 https://access.redhat.com/errata/RHSA-2024:1317
Comment 6 TEJ RATHI 2024-03-19 11:14:03 UTC 
Nokogiri upgrades its dependency libxml2 as follows:

    Nokogiri v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6
    Nokogiri v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4

References:

https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-vcc3-rw6f-jv97.yml
Comment 7 Vít Ondruch 2024-03-19 11:52:48 UTC 
Please note that rubygem-nokogiri is typically using system libxml2, therefore it should not be vulnerable:

https://src.fedoraproject.org/rpms/rubygem-nokogiri/blob/bec33a2666c3a1af156b0802227ef5a65e2d007a/f/rubygem-nokogiri.spec#_118
Comment 8 Vít Ondruch 2024-03-19 12:01:30 UTC 
(In reply to Vít Ondruch from comment #7)
> Please note that rubygem-nokogiri is typically using system libxml2,
> therefore it should not be vulnerable:
> 
> https://src.fedoraproject.org/rpms/rubygem-nokogiri/blob/
> bec33a2666c3a1af156b0802227ef5a65e2d007a/f/rubygem-nokogiri.spec#_118

BTW the dependency can be seen like this:

~~~
 rpm -qRp https://kojipkgs.fedoraproject.org//packages/rubygem-nokogiri/1.16.3/1.fc41/x86_64/rubygem-nokogiri-1.16.3-1.fc41.x86_64.rpm
(rubygem(racc) >= 1.4 with rubygem(racc) < 2)
/usr/bin/env
/usr/bin/ruby
libc.so.6()(64bit)
libc.so.6(GLIBC_2.14)(64bit)
libc.so.6(GLIBC_2.2.5)(64bit)
libc.so.6(GLIBC_2.3.4)(64bit)
libc.so.6(GLIBC_2.4)(64bit)
libc.so.6(GLIBC_ABI_DT_RELR)(64bit)
libexslt.so.0()(64bit)
libruby.so.3.3()(64bit)
libxml2.so.2()(64bit)
libxml2.so.2(LIBXML2_2.4.30)(64bit)
libxml2.so.2(LIBXML2_2.5.0)(64bit)
libxml2.so.2(LIBXML2_2.5.2)(64bit)
libxml2.so.2(LIBXML2_2.5.7)(64bit)
libxml2.so.2(LIBXML2_2.5.8)(64bit)
libxml2.so.2(LIBXML2_2.6.0)(64bit)
libxml2.so.2(LIBXML2_2.6.12)(64bit)
libxml2.so.2(LIBXML2_2.6.15)(64bit)
libxml2.so.2(LIBXML2_2.6.2)(64bit)
libxml2.so.2(LIBXML2_2.6.20)(64bit)
libxml2.so.2(LIBXML2_2.6.21)(64bit)
libxml2.so.2(LIBXML2_2.6.23)(64bit)
libxml2.so.2(LIBXML2_2.6.24)(64bit)
libxml2.so.2(LIBXML2_2.6.3)(64bit)
libxml2.so.2(LIBXML2_2.6.8)(64bit)
libxml2.so.2(LIBXML2_2.7.3)(64bit)
libxslt.so.1()(64bit)
libxslt.so.1(LIBXML2_1.0.11)(64bit)
libxslt.so.1(LIBXML2_1.0.13)(64bit)
libxslt.so.1(LIBXML2_1.0.18)(64bit)
libxslt.so.1(LIBXML2_1.0.24)(64bit)
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(FileDigests) <= 4.6.0-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(PayloadIsZstd) <= 5.4.18-1
rpmlib(RichDependencies) <= 4.12.0-1
rtld(GNU_HASH)
ruby(rubygems)
rubygem(racc)
~~~

And if the libxml2 was bundled, there should have been `bundled(libxml2)` provide.

It seems that this methods are long forgotten by ProdSec, so I'd like to remind that it would be better if the trackers were not blindly filled all around.
Comment 9 Borja Tarraso 2024-03-21 15:03:59 UTC 
Created libxml2 tracking bugs for this issue:

Affects: fedora-all [bug 2270722]


Created mingw-libxml2 tracking bugs for this issue:

Affects: fedora-all [bug 2270724]


Created pcem tracking bugs for this issue:

Affects: fedora-all [bug 2270725]


Created qt5-qtwebengine tracking bugs for this issue:

Affects: epel-all [bug 2270721]
Affects: fedora-all [bug 2270726]


Created qt6-qtwebengine tracking bugs for this issue:

Affects: fedora-all [bug 2270727]


Created rubygem-nokogiri tracking bugs for this issue:

Affects: epel-all [bug 2270728]
Affects: fedora-all [bug 2270729]
Comment 11 Vít Ondruch 2024-03-22 09:18:29 UTC 
(In reply to Vít Ondruch from comment #7)
> Please note that rubygem-nokogiri is typically using system libxml2,
> therefore it should not be vulnerable:
> 
> https://src.fedoraproject.org/rpms/rubygem-nokogiri/blob/
> bec33a2666c3a1af156b0802227ef5a65e2d007a/f/rubygem-nokogiri.spec#_118

@btarraso / @trathi: Would you mind to update your tooling?
Comment 15 Lev Pachmanov 2024-04-16 09:32:37 UTC 
Looks like it was fixed by the following commits:
https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970884fcc13305cb8e23cdc5f0dd7667c2c
https://gitlab.gnome.org/GNOME/libxml2/-/commit/2b0aac140d739905c7848a42efc60bfe783a39b7
https://gitlab.gnome.org/GNOME/libxml2/-/commit/1a66b176055d25ee635bf328c7b35b381db0b71d
Comment 18 errata-xmlrpc 2024-05-02 14:47:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2679 https://access.redhat.com/errata/RHSA-2024:2679
Note You need to log in before you can comment on or make changes to this bug.