Bug 1219579 - VUL-0: CVE-2024-25062: rubygem-nokogiri: libxml2: use-after-free in XMLReader
Summary: VUL-0: CVE-2024-25062: rubygem-nokogiri: libxml2: use-after-free in XMLReader
Status: RESOLVED FIXED
Alias: None
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Marcus Rückert
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/392982/
Whiteboard:
Keywords:
Depends on:
Blocks: CVE-2024-25062
  Show dependency treegraph
 
Reported: 2024-02-05 15:03 UTC by Andrea Mattiazzo
Modified: 2024-02-28 12:36 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andrea Mattiazzo 2024-02-05 15:03:11 UTC 
An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25062
https://gitlab.gnome.org/GNOME/libxml2/-/tags
https://www.cve.org/CVERecord?id=CVE-2024-25062
https://gitlab.gnome.org/GNOME/libxml2/-/issues/604
https://bugzilla.redhat.com/show_bug.cgi?id=2262726

Patch:
https://gitlab.gnome.org/GNOME/libxml2/-/commit/1a66b176055d25ee635bf328c7b35b381db0b71d
Comment 1 Andrea Mattiazzo 2024-02-05 15:03:56 UTC 
Tracking as affected:
- SUSE:ALP:Source:Standard:1.0/rubygem-nokogiri
- SUSE:SLE-12:Update/rubygem-nokogiri
- SUSE:SLE-15-SP4:Update/rubygem-nokogiri
- SUSE:SLE-15:Update/rubygem-nokogiri
- openSUSE:Factory/rubygem-nokogiri
Comment 3 Marcus Meissner 2024-02-28 12:35:20 UTC 
Currently nokogiri links against our system libxml2.

checked on sles15 sp5.
Comment 4 Marcus Meissner 2024-02-28 12:36:00 UTC 
not affected