aosc-os-abbs icon indicating copy to clipboard operation
aosc-os-abbs copied to clipboard

Published 20 hours ago verified publisher icon AOSC-Dev

libxml2: Multiple Vulnerabilites (CVE-2022-{29824,23308,40303,40304})

Open CamberLoid opened this issue 2 years ago • 0 comments

CVE IDs

CVE-2022-{29824,23308,40303,40304

Other security advisory IDs

  • Debian: https://security-tracker.debian.org/tracker/DSA-5142-1 https://security-tracker.debian.org/tracker/DLA-2972-1
  • Gentoo: https://security.gentoo.org/glsa/202210-03

Description

Multiple vulnerabilities of libxml2 has been found.

  • CVE-2022-40304: dict corruption caused by entity reference cycles. Fixed via https://gitlab.gnome.org/GNOME/libxml2/-/commit/1b41ec4e9433b05bb0376be4725804c54ef1d80b
  • CVE-2022-40303: integer overflows with XML_PARSE_HUG. Fixed via https://gitlab.gnome.org/GNOME/libxml2/-/commit/c846986356fc149915a74972bf198abc266bc2c0
  • CVE-2022-23308: valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes. Fixed via https://gitlab.gnome.org/GNOME/libxml2/-/commit/652dd12a858989b14eed4e84e453059cd3ba340e
  • CVE-2022-29824: integer overflows in xmlBuf and xmlBuffer. Fixed via https://gitlab.gnome.org/GNOME/libxml2/-/commit/2554a2408e09f13652049e5ffb0d26196b02ebab

Patches

Update to 2.10.3 should fix these problem.

PoC(s)

N/A

CamberLoid avatar Oct 23 '22 11:10 CamberLoid