Bug 2262726 (CVE-2024-25062) - CVE-2024-25062 libxml2: use-after-free in XMLReader
Summary: CVE-2024-25062 libxml2: use-after-free in XMLReader
Keywords:
Status: NEW
Alias: CVE-2024-25062
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2270721 2270724 2270725 2270726 2270727 2270730 2270272 2270273 2270274 2270275 2270722 2270728 2270729
Blocks: 2262728
TreeView+ depends on / blocked
 
Reported: 2024-02-05 04:29 UTC by Avinash Hanwate
Modified: 2024-04-01 11:58 UTC (History)
53 users (show)

Fixed In Version: libxml2 2.11.7 and libxml2 2.12.5
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in libxml2. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:1317 0 None None None 2024-03-18 16:22:32 UTC

Description Avinash Hanwate 2024-02-05 04:29:50 UTC
An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.

https://gitlab.gnome.org/GNOME/libxml2/-/issues/604
https://gitlab.gnome.org/GNOME/libxml2/-/tags

Comment 4 errata-xmlrpc 2024-03-18 16:22:28 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2024:1317 https://access.redhat.com/errata/RHSA-2024:1317

Comment 6 TEJ RATHI 2024-03-19 11:14:03 UTC
Nokogiri upgrades its dependency libxml2 as follows:

    Nokogiri v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6
    Nokogiri v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4

References:

https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-vcc3-rw6f-jv97.yml

Comment 7 Vít Ondruch 2024-03-19 11:52:48 UTC
Please note that rubygem-nokogiri is typically using system libxml2, therefore it should not be vulnerable:

https://src.fedoraproject.org/rpms/rubygem-nokogiri/blob/bec33a2666c3a1af156b0802227ef5a65e2d007a/f/rubygem-nokogiri.spec#_118

Comment 8 Vít Ondruch 2024-03-19 12:01:30 UTC
(In reply to Vít Ondruch from comment #7)
> Please note that rubygem-nokogiri is typically using system libxml2,
> therefore it should not be vulnerable:
> 
> https://src.fedoraproject.org/rpms/rubygem-nokogiri/blob/
> bec33a2666c3a1af156b0802227ef5a65e2d007a/f/rubygem-nokogiri.spec#_118

BTW the dependency can be seen like this:

~~~
 rpm -qRp https://kojipkgs.fedoraproject.org//packages/rubygem-nokogiri/1.16.3/1.fc41/x86_64/rubygem-nokogiri-1.16.3-1.fc41.x86_64.rpm
(rubygem(racc) >= 1.4 with rubygem(racc) < 2)
/usr/bin/env
/usr/bin/ruby
libc.so.6()(64bit)
libc.so.6(GLIBC_2.14)(64bit)
libc.so.6(GLIBC_2.2.5)(64bit)
libc.so.6(GLIBC_2.3.4)(64bit)
libc.so.6(GLIBC_2.4)(64bit)
libc.so.6(GLIBC_ABI_DT_RELR)(64bit)
libexslt.so.0()(64bit)
libruby.so.3.3()(64bit)
libxml2.so.2()(64bit)
libxml2.so.2(LIBXML2_2.4.30)(64bit)
libxml2.so.2(LIBXML2_2.5.0)(64bit)
libxml2.so.2(LIBXML2_2.5.2)(64bit)
libxml2.so.2(LIBXML2_2.5.7)(64bit)
libxml2.so.2(LIBXML2_2.5.8)(64bit)
libxml2.so.2(LIBXML2_2.6.0)(64bit)
libxml2.so.2(LIBXML2_2.6.12)(64bit)
libxml2.so.2(LIBXML2_2.6.15)(64bit)
libxml2.so.2(LIBXML2_2.6.2)(64bit)
libxml2.so.2(LIBXML2_2.6.20)(64bit)
libxml2.so.2(LIBXML2_2.6.21)(64bit)
libxml2.so.2(LIBXML2_2.6.23)(64bit)
libxml2.so.2(LIBXML2_2.6.24)(64bit)
libxml2.so.2(LIBXML2_2.6.3)(64bit)
libxml2.so.2(LIBXML2_2.6.8)(64bit)
libxml2.so.2(LIBXML2_2.7.3)(64bit)
libxslt.so.1()(64bit)
libxslt.so.1(LIBXML2_1.0.11)(64bit)
libxslt.so.1(LIBXML2_1.0.13)(64bit)
libxslt.so.1(LIBXML2_1.0.18)(64bit)
libxslt.so.1(LIBXML2_1.0.24)(64bit)
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(FileDigests) <= 4.6.0-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(PayloadIsZstd) <= 5.4.18-1
rpmlib(RichDependencies) <= 4.12.0-1
rtld(GNU_HASH)
ruby(rubygems)
rubygem(racc)
~~~

And if the libxml2 was bundled, there should have been `bundled(libxml2)` provide.

It seems that this methods are long forgotten by ProdSec, so I'd like to remind that it would be better if the trackers were not blindly filled all around.

Comment 9 Borja Tarraso 2024-03-21 15:03:59 UTC
Created libxml2 tracking bugs for this issue:

Affects: fedora-all [bug 2270722]


Created mingw-libxml2 tracking bugs for this issue:

Affects: fedora-all [bug 2270724]


Created pcem tracking bugs for this issue:

Affects: fedora-all [bug 2270725]


Created qt5-qtwebengine tracking bugs for this issue:

Affects: epel-all [bug 2270721]
Affects: fedora-all [bug 2270726]


Created qt6-qtwebengine tracking bugs for this issue:

Affects: fedora-all [bug 2270727]


Created rubygem-nokogiri tracking bugs for this issue:

Affects: epel-all [bug 2270728]
Affects: fedora-all [bug 2270729]

Comment 11 Vít Ondruch 2024-03-22 09:18:29 UTC
(In reply to Vít Ondruch from comment #7)
> Please note that rubygem-nokogiri is typically using system libxml2,
> therefore it should not be vulnerable:
> 
> https://src.fedoraproject.org/rpms/rubygem-nokogiri/blob/
> bec33a2666c3a1af156b0802227ef5a65e2d007a/f/rubygem-nokogiri.spec#_118

@btarraso / @trathi: Would you mind to update your tooling?


Note You need to log in before you can comment on or make changes to this bug.