StarlingX

[Debian] CVE: CVE-2022-40303: libxml2: leading to a segmentation fault

Bug #1999991 reported by Yue Tao
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Wentao Zhang

Bug Description

CVE-2022-40303: https://nvd.nist.gov/vuln/detail/CVE-2022-40303

An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the XML_PARSE_HUGE parser option enabled, several integer counters can overflow. This results in an attempt to access an array at a negative 2GB offset, typically leading to a segmentation fault.

Score:
cve_id status cvss3Score av ac pr ui ai
CVE-2022-40674 fixed 7.5 N L N N H

References:
https://security-tracker.debian.org/tracker/CVE-2022-40303

['libxml2-dev_2.9.10+dfsg-6.7+deb11u1_amd64.deb===>libxml2-dev_2.9.10+dfsg-6.7+deb11u3_amd64.deb', 'libxml2-utils_2.9.10+dfsg-6.7+deb11u1_amd64.deb===>libxml2-utils_2.9.10+dfsg-6.7+deb11u3_amd64.deb', 'libxml2_2.9.10+dfsg-6.7+deb11u1_amd64.deb===>libxml2_2.9.10+dfsg-6.7+deb11u3_amd64.deb']

CVE References

Yue Tao (wrytao)
information type: Public → Public Security
Changed in starlingx:
importance: Undecided → Medium
status: New → Triaged
tags: added: stx.8.0 stx.security
Wentao Zhang (wzhang4)
Changed in starlingx:
assignee: nobody → Wentao Zhang (wzhang4)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/868153

Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/868153
Committed: https://opendev.org/starlingx/tools/commit/7082b866c6d5139f51bb62455d59cd5d55ec758a
Submitter: "Zuul (22348)"
Branch: master

commit 7082b866c6d5139f51bb62455d59cd5d55ec758a
Author: Wentao Zhang <email address hidden>
Date: Tue Dec 20 14:02:19 2022 +0800

    Debian:libxml2:fix CVE-2022-40303

    Upgrade libxml2-dev, libxml2-utils, libxml2 to the
    version that CVE-2022-40303 have been fixed:

    libxml2-dev_2.9.10+dfsg-6.7+deb11u1_amd64.deb to
    libxml2-dev_2.9.10+dfsg-6.7+deb11u3_amd64.deb
    libxml2-utils_2.9.10+dfsg-6.7+deb11u1_amd64.deb to
    libxml2-utils_2.9.10+dfsg-6.7+deb11u3_amd64.deb
    libxml2_2.9.10+dfsg-6.7+deb11u1_amd64.deb to
    libxml2_2.9.10+dfsg-6.7+deb11u3_amd64.deb

    (Refer to https://security-tracker.debian.org/tracker/CVE-2022-40303)

    This fix provides the URL of the package in base-bullseye.lst to
    make sure that the binary package can be downloaded no matter how
    the upstream changes.

    Test plan:
    PASS: build-pkgs --clean --all && build-image

    Closes-bug: 1999991
    Signed-off-by: Wentao Zhang<email address hidden>
    Change-Id: If4f54d881a726163f5d9d75285f3898d44208ce4

Changed in starlingx:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.