Bug 1219578

Summary: VUL-0: CVE-2024-25062: perl-Alien-Libxml2: libxml2: use-after-free in XMLReader
Product: [Novell Products] SUSE Security Incidents Reporter: Andrea Mattiazzo <andrea.mattiazzo>
Component: IncidentsAssignee: Pedro Monreal Gonzalez <pmonrealgonzalez>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: andrea.mattiazzo, pmonrealgonzalez, security-team, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/392982/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1219575    

Description Andrea Mattiazzo 2024-02-05 15:00:54 UTC 
An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25062
https://gitlab.gnome.org/GNOME/libxml2/-/tags
https://www.cve.org/CVERecord?id=CVE-2024-25062
https://gitlab.gnome.org/GNOME/libxml2/-/issues/604
https://bugzilla.redhat.com/show_bug.cgi?id=2262726

Patch:
https://gitlab.gnome.org/GNOME/libxml2/-/commit/1a66b176055d25ee635bf328c7b35b381db0b71d
Comment 1 Andrea Mattiazzo 2024-02-05 15:01:23 UTC 
Tracking as affected:
- SUSE:ALP:Source:Standard:1.0/perl-Alien-Libxml2
- openSUSE:Factory/perl-Alien-Libxml2
Comment 3 Pedro Monreal Gonzalez 2024-02-06 12:53:06 UTC 
perl-Alien-Libxml2 uses the system libxml2, so I think fixing it in the libxml2 side will be enough here.

There seems to be a new upstream version with number 2.2.15 that includes the fix, see: https://discourse.gnome.org/t/libxml2-2-12-5-released/19337

For the perl-Alien-Libxml2 package in particular, upgrading to the new version will suffice in both Factory and ALP. Could you ask the libxml2 maintainer to upgrade the package in both Factory and ALP and fixing it in the rest of SLE codestreams in the context of bsc#1219576?

TIA
Comment 4 Andrea Mattiazzo 2024-02-06 13:49:47 UTC 
I created the bug since looking inside the package it seems that it downloads the libxml2 package directly from gitlab via this Download::GitLab plugin and the version that it fetch is hardcoded on the source ("version" : "0.19"). But if you confirm that it use the system one, we proceed with fix only the libxml2 package and close this one.
Comment 5 Pedro Monreal Gonzalez 2024-02-07 11:04:49 UTC 
Yes, I double checked and it uses the system libxml2 library. Thanks for the pointer to the Download::GitLab plugin, looks its only used to get the version to check if its listed as a 'bad version'.
Comment 6 Andrea Mattiazzo 2024-02-07 13:12:29 UTC 
Closed since fix will be applied through lixml2 package.