Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: cherry-pick 652dd12a and d05317ce from libxml #33670

merged 2 commits into from Apr 18, 2022


Copy link

@ppontes ppontes commented Apr 8, 2022

Commit 652dd12a authored 1 month ago by Nick Wellnhofer's avatar Nick Wellnhofer
[CVE-2022-23308] Use-after-free of ID and IDREF attributes
If a document is parsed with XML_PARSE_DTDVALID and without
XML_PARSE_NOENT, the value of ID attributes has to be normalized after
potentially expanding entities in xmlRemoveID. Otherwise, later calls
to xmlGetID can return a pointer to previously freed memory.

ID attributes which are empty or contain only whitespace after
entity expansion are affected in a similar way. This is fixed by
not storing such attributes in the ID table.

The test to detect streaming mode when validating against a DTD was
broken. In connection with the defects above, this could result in a
use-after-free when using the xmlReader interface with validation.
Fix detection of streaming mode to avoid similar issues. (This changes
the expected result of a test case. But as far as I can tell, using the
XML reader with XIncludes referencing the root document never worked
properly, anyway.)

All of these issues can result in denial of service. Using xmlReader
with validation could result in disclosure of memory via the error
channel, typically stderr. The security impact of xmlGetID returning
a pointer to freed memory depends on the application. The typical use
case of calling xmlGetID on an unmodified document is not affected.
parent d19bab68 master


Commit d05317ce authored 1 month ago by Nick Wellnhofer's avatar Nick Wellnhofer
Fix --without-valid build
Regressed in commit 652dd12a.

Release Notes

Notes: Security: backported fix for CVE-2022-23308.

@ppontes ppontes added security 🔒 semver/patch backport-check-skip 15-x-y labels Apr 8, 2022
@ppontes ppontes requested review from a team as code owners Apr 8, 2022
@ppontes ppontes force-pushed the cherry-pick/15-x-y/chromium/652dd12a85 branch from 053077b to 7615006 Compare Apr 8, 2022
zcbenz approved these changes Apr 14, 2022
@zcbenz zcbenz merged commit 53af38a into 15-x-y Apr 18, 2022
14 of 15 checks passed
@zcbenz zcbenz deleted the cherry-pick/15-x-y/chromium/652dd12a85 branch Apr 18, 2022
Copy link

release-clerk bot commented Apr 18, 2022

Release Notes Persisted

Security: backported fix for CVE-2022-23308.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
15-x-y backport-check-skip security 🔒 semver/patch
None yet

Successfully merging this pull request may close these issues.

None yet

3 participants