Bug 1202801 – VUL-0: CVE-2021-42521: vtk: NULL pointer dereference vulnerability in IO/Infovis/vtkXMLTreeReader.cxx

Bug 1202801 - (CVE-2021-42521) VUL-0: CVE-2021-42521: vtk: NULL pointer dereference vulnerability in IO/Infovis/vtkXMLTreeReader.cxx

(CVE-2021-42521)
Summary:	VUL-0: CVE-2021-42521: vtk: NULL pointer dereference vulnerability in IO/Info...

Status:	NEW

Classification:	openSUSE
Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Security
Version:	Leap 15.4
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal (vote)
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/340887/
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2022-08-26 07:11 UTC by Alexander Bergmann
Modified:	2022-09-16 03:40 UTC (History)
CC List:	0 users

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2022-08-26 07:11:23 UTC

CVE-2021-42521

There is a NULL pointer dereference vulnerability in VTK, and it lies in
IO/Infovis/vtkXMLTreeReader.cxx. The vendor didn't check the return value of
libxml2 API 'xmlDocGetRootElement', and try to dereference it. It is unsafe as
the return value can be NULL and that NULL pointer dereference may crash the
application.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-42521
https://www.cve.org/CVERecord?id=CVE-2021-42521
https://gitlab.kitware.com/vtk/vtk/issues/17818