Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 856598 (CVE-2022-2309) - <dev-python/lxml-4.9.1: triggerable crash via crafted input
Summary: <dev-python/lxml-4.9.1: triggerable crash via crafted input
Status: RESOLVED FIXED
Alias: CVE-2022-2309
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://huntr.dev/bounties/8264e74f-e...
Whiteboard: A3 [glsa+]
Keywords:
Depends on: 856604
Blocks:
  Show dependency tree
 
Reported: 2022-07-05 16:26 UTC by John Helmert III
Modified: 2022-08-19 00:58 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-05 16:26:28 UTC
CVE-2022-2309:

NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.

Patch: https://github.com/lxml/lxml/commit/86368e9cf70a0ad23cccd5ee32de847149af0c6f
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-07-07 19:06:46 UTC
cleanup done.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-08 17:51:49 UTC
Thanks!
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-09 23:05:10 UTC
GLSA request filed.
Comment 4 Larry the Git Cow gentoo-dev 2022-08-10 04:18:27 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=00cb8ca9acda9480b2cbc77e709e6f1c6d0babf4

commit 00cb8ca9acda9480b2cbc77e709e6f1c6d0babf4
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-10 03:53:32 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-10 04:16:21 +0000

    [ GLSA 202208-06 ] lxml: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/777579
    Bug: https://bugs.gentoo.org/829053
    Bug: https://bugs.gentoo.org/856598
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-06.xml | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-10 04:24:24 UTC
GLSA released, all done!