Bug 1201253 - (CVE-2022-2309) VUL-0: CVE-2022-2309: python-lxml,python3-lxml: NULL pointer dereference due to state leak between parser runs
(CVE-2022-2309)
VUL-0: CVE-2022-2309: python-lxml,python3-lxml: NULL pointer dereference due ...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/336287/
CVSSv3.1:SUSE:CVE-2022-2309:6.5:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-07-06 08:34 UTC by Carlos López
Modified: 2022-08-26 13:21 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2022-07-06 08:34:11 UTC
CVE-2022-2309

NULL Pointer Dereference allows attackers to cause a denial of service (or
application crash). This only applies when lxml is used together with libxml2
2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows
triggering crashes through forged input data, given a vulnerable code sequence
in the application. The vulnerability is caused by the iterwalk function (also
used by the canonicalize function). Such code shouldn't be in wide-spread use,
given that parsing + iterwalk would usually be replaced with the more efficient
iterparse function. However, an XML converter that serialises to C14N would also
be vulnerable, for example, and there are legitimate use cases for this code
sequence. If untrusted input is received (also remotely) and processed via
iterwalk function, a crash can be triggered.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2309
https://github.com/lxml/lxml/commit/86368e9cf70a0ad23cccd5ee32de847149af0c6f
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2309
http://www.cvedetails.com/cve/CVE-2022-2309/
https://huntr.dev/bounties/8264e74f-edda-4c40-9956-49de635105ba
Comment 1 Carlos López 2022-07-06 09:05:09 UTC
(In reply to Carlos López from comment #0)
> This only applies when lxml is used together with libxml2
> 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected.

Shipped libxml2 versions:
 - SUSE:SLE-11-SP1:Update  2.7.6
 - SUSE:SLE-12-SP2:Update  2.9.4
 - SUSE:SLE-12:Update      2.9.1
 - SUSE:SLE-15:Update      2.9.7
 - SUSE:SLE-15-SP4:Update  2.9.12 (!)
 - openSUSE:Factory        2.9.14 (!)

Shipped python-lxml packages:
 - SUSE:SLE-11-SP3:Update/python-lxml
 - SUSE:SLE-12-SP2:Update/python-lxml
 - SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/python-lxml
 - SUSE:SLE-15:Update/python-lxml
 - SUSE:SLE-15-SP2:Update
 - openSUSE:Factory/python-lxml

 Shipped python3-lxml packages:
 - SUSE:SLE-12:Update/python3-lxml
 - SUSE:SLE-12-SP4:Update/python3-lxml

As far as I can tell:
 - SUSE:SLE-15-SP2:Update/python-lxml pulls SUSE:SLE-15-SP4:Update/libxml2 on newer products (e.g. SLES 15 SP3 and SP4), and would require the fix.
 - openSUSE:Factory/python-lxml pulls openSUSE:Factory/libxml2 on Tumbleweed, and would also require a fix.

SUSE:SLE-15:Update/python-lxml and older pull from SUSE:SLE-15:Update/libxml2 and older, and thus do not require a submission. python3-lxml is only present in older codestreams, so the same should apply.

Patch:
https://github.com/lxml/lxml/commit/86368e9cf70a0ad23cccd5ee32de847149af0c6f
Comment 5 OBSbugzilla Bot 2022-08-19 12:40:06 UTC
This is an autogenerated message for OBS integration:
This bug (1201253) was mentioned in
https://build.opensuse.org/request/show/998154 Factory / python-lxml
Comment 6 Swamp Workflow Management 2022-08-23 16:16:16 UTC
SUSE-SU-2022:2878-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1201253
CVE References: CVE-2022-2309
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Public Cloud 15 (src):    python-lxml-4.7.1-150100.6.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2022-08-26 13:21:32 UTC
SUSE-SU-2022:2908-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1201253
CVE References: CVE-2022-2309
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    python-lxml-4.7.1-150200.3.10.1
openSUSE Leap 15.3 (src):    python-lxml-4.7.1-150200.3.10.1
SUSE Manager Server 4.1 (src):    python-lxml-4.7.1-150200.3.10.1
SUSE Manager Retail Branch Server 4.1 (src):    python-lxml-4.7.1-150200.3.10.1
SUSE Manager Proxy 4.1 (src):    python-lxml-4.7.1-150200.3.10.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    python-lxml-4.7.1-150200.3.10.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    python-lxml-4.7.1-150200.3.10.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    python-lxml-4.7.1-150200.3.10.1
SUSE Linux Enterprise Module for Python2 15-SP3 (src):    python-lxml-4.7.1-150200.3.10.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    python-lxml-4.7.1-150200.3.10.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    python-lxml-4.7.1-150200.3.10.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    python-lxml-4.7.1-150200.3.10.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    python-lxml-4.7.1-150200.3.10.1
SUSE Enterprise Storage 7 (src):    python-lxml-4.7.1-150200.3.10.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.