Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 856598 (CVE-2022-2309)

Summary: <dev-python/lxml-4.9.1: triggerable crash via crafted input
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: mgorny, python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://huntr.dev/bounties/8264e74f-edda-4c40-9956-49de635105ba
See Also: https://bugs.gentoo.org/show_bug.cgi?id=865727
Whiteboard: A3 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 856604    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-05 16:26:28 UTC 
CVE-2022-2309:

NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.

Patch: https://github.com/lxml/lxml/commit/86368e9cf70a0ad23cccd5ee32de847149af0c6f
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-07-07 19:06:46 UTC 
cleanup done.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-08 17:51:49 UTC 
Thanks!
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-09 23:05:10 UTC 
GLSA request filed.
Comment 4 Larry the Git Cow gentoo-dev 2022-08-10 04:18:27 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=00cb8ca9acda9480b2cbc77e709e6f1c6d0babf4

commit 00cb8ca9acda9480b2cbc77e709e6f1c6d0babf4
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-10 03:53:32 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-10 04:16:21 +0000

    [ GLSA 202208-06 ] lxml: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/777579
    Bug: https://bugs.gentoo.org/829053
    Bug: https://bugs.gentoo.org/856598
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-06.xml | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-10 04:24:24 UTC 
GLSA released, all done!