Bug 1219575 (CVE-2024-25062) - VUL-0: CVE-2024-25062: TRACKERBUG: libxml2: use-after-free in XMLReader
Summary: VUL-0: CVE-2024-25062: TRACKERBUG: libxml2: use-after-free in XMLReader
Status: NEW
Alias: CVE-2024-25062
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/392982/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-25062:5.9:(AV:...
Keywords:
Depends on: 1219576 1219578 1219579
Blocks:
  Show dependency treegraph
 
Reported: 2024-02-05 14:41 UTC by SMASH SMASH
Modified: 2024-02-14 07:11 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-02-05 14:41:51 UTC
An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25062
https://gitlab.gnome.org/GNOME/libxml2/-/tags
https://www.cve.org/CVERecord?id=CVE-2024-25062
https://gitlab.gnome.org/GNOME/libxml2/-/issues/604
https://bugzilla.redhat.com/show_bug.cgi?id=2262726

Patch:
https://gitlab.gnome.org/GNOME/libxml2/-/commit/1a66b176055d25ee635bf328c7b35b381db0b71d