Bug 1219579

Summary: VUL-0: CVE-2024-25062: rubygem-nokogiri: libxml2: use-after-free in XMLReader
Product: [Novell Products] SUSE Security Incidents Reporter: Andrea Mattiazzo <andrea.mattiazzo>
Component: IncidentsAssignee: Marcus Rückert <mrueckert>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: andrea.mattiazzo, meissner, security-team, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/392982/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1219575    

Description Andrea Mattiazzo 2024-02-05 15:03:11 UTC 
An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25062
https://gitlab.gnome.org/GNOME/libxml2/-/tags
https://www.cve.org/CVERecord?id=CVE-2024-25062
https://gitlab.gnome.org/GNOME/libxml2/-/issues/604
https://bugzilla.redhat.com/show_bug.cgi?id=2262726

Patch:
https://gitlab.gnome.org/GNOME/libxml2/-/commit/1a66b176055d25ee635bf328c7b35b381db0b71d
Comment 1 Andrea Mattiazzo 2024-02-05 15:03:56 UTC 
Tracking as affected:
- SUSE:ALP:Source:Standard:1.0/rubygem-nokogiri
- SUSE:SLE-12:Update/rubygem-nokogiri
- SUSE:SLE-15-SP4:Update/rubygem-nokogiri
- SUSE:SLE-15:Update/rubygem-nokogiri
- openSUSE:Factory/rubygem-nokogiri
Comment 3 Marcus Meissner 2024-02-28 12:35:20 UTC 
Currently nokogiri links against our system libxml2.

checked on sles15 sp5.
Comment 4 Marcus Meissner 2024-02-28 12:36:00 UTC 
not affected