Bugzilla – Bug 1159928
VUL-1: CVE-2019-19956: libxml2: xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs.
Last modified: 2023-05-02 16:04:51 UTC
CVE-2019-19956 xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-19956 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19956 https://gitlab.gnome.org/GNOME/libxml2/commit/5a02583c7e683896d84878bd90641d8d9b0d0549
(small leak)
Looks like libxml2.SUSE_SLE-10-SP3_Update_Test is not affected.
openSUSE-SU-2020:0681-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1159928,1161517,1161521 CVE References: CVE-2019-19956,CVE-2019-20388,CVE-2020-7595 Sources used: openSUSE Leap 15.1 (src): libxml2-2.9.7-lp151.5.9.1, python-libxml2-python-2.9.7-lp151.5.9.1
SUSE-SU-2020:2609-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1159928,1161517,1161521,1172021,1176179 CVE References: CVE-2019-19956,CVE-2019-20388,CVE-2020-24977,CVE-2020-7595 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): libxml2-2.9.4-46.34.1 SUSE Linux Enterprise Server 12-SP5 (src): libxml2-2.9.4-46.34.1, python-libxml2-2.9.4-46.34.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:14729-1: An update that fixes 9 vulnerabilities is now available. Category: security (important) Bug References: 1159928,1161517,1161521,1176179,1185408,1185409,1185410,1185698 CVE References: CVE-2014-0191,CVE-2019-19956,CVE-2019-20388,CVE-2020-24977,CVE-2020-7595,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3537 JIRA References: Sources used: SUSE Linux Enterprise Server 11-SP4-LTSS (src): libxml2-2.7.6-0.77.36.1, libxml2-python-2.7.6-0.77.36.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): libxml2-2.7.6-0.77.36.1, libxml2-python-2.7.6-0.77.36.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): libxml2-2.7.6-0.77.36.1, libxml2-python-2.7.6-0.77.36.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): libxml2-2.7.6-0.77.36.1, libxml2-python-2.7.6-0.77.36.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
The upstream ticket https://gitlab.gnome.org/GNOME/libxml2/-/issues/161 has been made public, and the result is clear. Entering NULL document as a parameter is apparently just not supported and it must be fixed in the programs using this library. I suggest to close this bug as WONTFIX (because the problem is not in libxml2) or retargeting it to perl-XML-LibXML. Adding its maintainers to the CC of this bug.
done