Investigate whether CVE-2022-2309 (or similar) is present #2620

flavorjones · 2022-08-08T02:21:59Z

This issue has been opened to track the analysis of a CVE reported in the python lxml library, and whether that bug may be triggerable via Nokogiri.

Related links:

original vuln report: https://huntr.dev/bounties/8264e74f-edda-4c40-9956-49de635105ba/
lxml patch and test: lxml/lxml@86368e9
CVE: https://nvd.nist.gov/vuln/detail/CVE-2022-2309
upstream libxml2 issues:
- lxml issue: https://gitlab.gnome.org/GNOME/libxml2/-/issues/378
- https://gitlab.gnome.org/GNOME/libxml2/-/issues/385#note_1520963
upstream libxml2 patches:
- https://gitlab.gnome.org/GNOME/libxml2/-/commit/5930fe01963136ab92125feec0c6204d9c9225dc
- https://gitlab.gnome.org/GNOME/libxml2/-/commit/a82ea25fc83f563c574ddb863d6c17d9c5abdbd2

The text was updated successfully, but these errors were encountered:

flavorjones · 2022-08-15T21:10:52Z

I've been unable to exploit the underlying libxml2 memory issue using Nokogiri's API. The libxml2 client code for lxml is very different from nokogiri's and does not present the same primitives (a re-usable parser and tree walker).

flavorjones added the topic/security label Aug 8, 2022

flavorjones closed this as completed Aug 15, 2022

flavorjones mentioned this issue Aug 17, 2022

dep: update libxml2 to v2.10.0 #2625

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Investigate whether CVE-2022-2309 (or similar) is present #2620

Investigate whether CVE-2022-2309 (or similar) is present #2620

flavorjones commented Aug 8, 2022 •

edited

Loading

flavorjones commented Aug 15, 2022

Investigate whether CVE-2022-2309 (or similar) is present #2620

Investigate whether CVE-2022-2309 (or similar) is present #2620

Comments

flavorjones commented Aug 8, 2022 • edited Loading

flavorjones commented Aug 15, 2022

flavorjones commented Aug 8, 2022 •

edited

Loading