Bug 1224284 - VUL-0: CVE-2024-34459: rubygem-nokogiri: libxml2: buffer over-read in xmlHTMLPrintFileContext in xmllint.c
Summary: VUL-0: CVE-2024-34459: rubygem-nokogiri: libxml2: buffer over-read in xmlHTML...
Status: RESOLVED INVALID
Alias: None
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Minor
Target Milestone: ---
Assignee: Marcus Rückert
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/405285/
Whiteboard:
Keywords:
Depends on:
Blocks: CVE-2024-34459
  Show dependency treegraph
 
Reported: 2024-05-15 11:07 UTC by Camila Camargo de Matos
Modified: 2024-05-15 11:26 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Camila Camargo de Matos 2024-05-15 11:07:22 UTC 
+++ This bug was initially created as a clone of Bug #1224281 +++

An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-34459
https://www.cve.org/CVERecord?id=CVE-2024-34459
https://gitlab.gnome.org/GNOME/libxml2/-/issues/720
https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8
https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7
https://bugzilla.redhat.com/show_bug.cgi?id=2280532
https://jira.suse.com/browse/CAR-3459
Comment 2 Camila Camargo de Matos 2024-05-15 11:22:05 UTC 
Package rubygem-nokogiri is not using the local copy of libxml2 in SUSE/openSUSE codestreams. It is instead linking against the system copy of libxml2. Therefore, rubygem-nokogiri is not affected by this issue. Closing this bug as RESOLVED/INVALID.
Comment 3 Camila Camargo de Matos 2024-05-15 11:26:37 UTC 
(In reply to Camila Camargo de Matos from comment #2)
> Package rubygem-nokogiri is not using the local copy of libxml2 in
> SUSE/openSUSE codestreams. It is instead linking against the system copy of
> libxml2. Therefore, rubygem-nokogiri is not affected by this issue. Closing
> this bug as RESOLVED/INVALID.

Additionally, this issue affects the xmllint utility only.