Bug 2185984 (CVE-2023-29469) - CVE-2023-29469 libxml2: Hashing of empty dict strings isn't deterministic
Summary: CVE-2023-29469 libxml2: Hashing of empty dict strings isn't deterministic
Keywords:
Status: NEW
Alias: CVE-2023-29469
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2185986 2185992 2185985 2185987 2185988 2185989 2185990 2185991 2186691 2186692 2186693 2186694 2186696
Blocks: 2186003
TreeView+ depends on / blocked
 
Reported: 2023-04-11 19:13 UTC by Pedro Sampaio
Modified: 2024-02-01 03:42 UTC (History)
67 users (show)

Fixed In Version: libxml2 2.10.4
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in libxml2. This issue occurs when hashing empty strings which aren't null-terminated, xmlDictComputeFastKey could produce inconsistent results, which may lead to various logic or memory errors, including double free errors.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:4349 0 None None None 2023-08-01 08:49:29 UTC
Red Hat Product Errata RHSA-2023:4529 0 None None None 2023-08-08 08:20:01 UTC
Red Hat Product Errata RHSA-2023:4628 0 None None None 2023-08-15 17:37:19 UTC
Red Hat Product Errata RHSA-2024:0413 0 None None None 2024-01-24 16:47:06 UTC

Description Pedro Sampaio 2023-04-11 19:13:48 UTC 
When hashing empty strings which aren't null-terminated, xmlDictComputeFastKey could produce inconsistent results. This could lead to various logic or memory errors, including double frees.

References:

https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.4
https://gitlab.gnome.org/GNOME/libxml2/-/commit/09a2dd453007f9c7205274623acdd73747c22d64
Comment 1 Pedro Sampaio 2023-04-11 19:14:08 UTC 
Created libxml2 tracking bugs for this issue:

Affects: fedora-all [bug 2185985]
Comment 2 Pedro Sampaio 2023-04-11 19:18:41 UTC 
Created mingw-libxml2 tracking bugs for this issue:

Affects: fedora-all [bug 2185987]


Created pcem tracking bugs for this issue:

Affects: fedora-all [bug 2185988]


Created qt5-qtwebengine tracking bugs for this issue:

Affects: epel-all [bug 2185986]
Affects: fedora-all [bug 2185989]


Created qt6-qtwebengine tracking bugs for this issue:

Affects: fedora-all [bug 2185990]


Created rubygem-nokogiri tracking bugs for this issue:

Affects: epel-all [bug 2185992]
Affects: fedora-all [bug 2185991]
Comment 3 Vít Ondruch 2023-04-12 07:58:06 UTC 
@Pedro I wonder how the list of affected libraries is compiled? I understand that rubygem-nokogiri might bundle libxml2, but that is not the case. It is very unfortunate, that ProdSec recently started to file these false positives trackers. Unfortunately, OTOH, we don't have trackers which really affects some components (e.g. CVE-2023-28755, CVE-2023-28756).
Comment 7 Pedro Sampaio 2023-04-14 21:02:25 UTC 
(In reply to Vít Ondruch from comment #3)
> @Pedro I wonder how the list of affected libraries is compiled? I understand
> that rubygem-nokogiri might bundle libxml2, but that is not the case. It is
> very unfortunate, that ProdSec recently started to file these false
> positives trackers. Unfortunately, OTOH, we don't have trackers which really
> affects some components (e.g. CVE-2023-28755, CVE-2023-28756).

The list is compiled from information in the report combined with the data in our package manifests. We have to rely on the information from the report for the initial assessment and bug filling. That's why sometimes we'll put in the affects list, packages that might not be affected. Unfortunately we have to delegate some of the affect checking to other Teams.
Comment 8 Vít Ondruch 2023-04-17 10:17:26 UTC 
(In reply to Pedro Sampaio from comment #7)
> (In reply to Vít Ondruch from comment #3)
> > @Pedro I wonder how the list of affected libraries is compiled? I understand
> > that rubygem-nokogiri might bundle libxml2, but that is not the case. It is
> > very unfortunate, that ProdSec recently started to file these false
> > positives trackers. Unfortunately, OTOH, we don't have trackers which really
> > affects some components (e.g. CVE-2023-28755, CVE-2023-28756).
> 
> The list is compiled from information in the report combined with the data
> in our package manifests. We have to rely on the information from the report
> for the initial assessment and bug filling. That's why sometimes we'll put
> in the affects list, packages that might not be affected. Unfortunately we
> have to delegate some of the affect checking to other Teams.

So could you please update your package manifests and mark there that rubygem-nokogiri does not bundle libxml2, so we don't need to have this discussion again?

BTW if rubygem-nokogiri bundled libxml2, there would be `bundled(libxml2)` provide which:

1) is still mandatory in Fedora AFAIK [1]
2) is not there.



[1] https://docs.fedoraproject.org/en-US/packaging-guidelines/#bundling
Comment 9 Pedro Sampaio 2023-04-28 11:24:42 UTC 
(In reply to Vít Ondruch from comment #8)
> (In reply to Pedro Sampaio from comment #7)
> > (In reply to Vít Ondruch from comment #3)
> > > @Pedro I wonder how the list of affected libraries is compiled? I understand
> > > that rubygem-nokogiri might bundle libxml2, but that is not the case. It is
> > > very unfortunate, that ProdSec recently started to file these false
> > > positives trackers. Unfortunately, OTOH, we don't have trackers which really
> > > affects some components (e.g. CVE-2023-28755, CVE-2023-28756).
> > 
> > The list is compiled from information in the report combined with the data
> > in our package manifests. We have to rely on the information from the report
> > for the initial assessment and bug filling. That's why sometimes we'll put
> > in the affects list, packages that might not be affected. Unfortunately we
> > have to delegate some of the affect checking to other Teams.
> 
> So could you please update your package manifests and mark there that
> rubygem-nokogiri does not bundle libxml2, so we don't need to have this
> discussion again?
> 
> BTW if rubygem-nokogiri bundled libxml2, there would be `bundled(libxml2)`
> provide which:
> 
> 1) is still mandatory in Fedora AFAIK [1]
> 2) is not there.
> 
> 
> 
> [1] https://docs.fedoraproject.org/en-US/packaging-guidelines/#bundling

Thank you for the info. I'll update de manifests.
Comment 15 errata-xmlrpc 2023-08-01 08:49:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:4349 https://access.redhat.com/errata/RHSA-2023:4349
Comment 17 errata-xmlrpc 2023-08-08 08:19:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:4529 https://access.redhat.com/errata/RHSA-2023:4529
Comment 18 errata-xmlrpc 2023-08-15 17:37:15 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2023:4628 https://access.redhat.com/errata/RHSA-2023:4628
Comment 21 errata-xmlrpc 2024-01-24 16:47:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0413 https://access.redhat.com/errata/RHSA-2024:0413
Note You need to log in before you can comment on or make changes to this bug.