Bugzilla – Bug 1219578
VUL-0: CVE-2024-25062: perl-Alien-Libxml2: libxml2: use-after-free in XMLReader
Last modified: 2024-02-07 13:12:29 UTC
An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25062 https://gitlab.gnome.org/GNOME/libxml2/-/tags https://www.cve.org/CVERecord?id=CVE-2024-25062 https://gitlab.gnome.org/GNOME/libxml2/-/issues/604 https://bugzilla.redhat.com/show_bug.cgi?id=2262726 Patch: https://gitlab.gnome.org/GNOME/libxml2/-/commit/1a66b176055d25ee635bf328c7b35b381db0b71d
Tracking as affected: - SUSE:ALP:Source:Standard:1.0/perl-Alien-Libxml2 - openSUSE:Factory/perl-Alien-Libxml2
perl-Alien-Libxml2 uses the system libxml2, so I think fixing it in the libxml2 side will be enough here. There seems to be a new upstream version with number 2.2.15 that includes the fix, see: https://discourse.gnome.org/t/libxml2-2-12-5-released/19337 For the perl-Alien-Libxml2 package in particular, upgrading to the new version will suffice in both Factory and ALP. Could you ask the libxml2 maintainer to upgrade the package in both Factory and ALP and fixing it in the rest of SLE codestreams in the context of bsc#1219576? TIA
I created the bug since looking inside the package it seems that it downloads the libxml2 package directly from gitlab via this Download::GitLab plugin and the version that it fetch is hardcoded on the source ("version" : "0.19"). But if you confirm that it use the system one, we proceed with fix only the libxml2 package and close this one.
Yes, I double checked and it uses the system libxml2 library. Thanks for the pointer to the Download::GitLab plugin, looks its only used to get the version to check if its listed as a 'bad version'.
Closed since fix will be applied through lixml2 package.