Source: lxml X-Debbugs-CC: [email protected] Severity: important Tags: security
Hi, The following vulnerability was published for lxml. CVE-2022-2309[0]: | NULL Pointer Dereference allows attackers to cause a denial of service | (or application crash). This only applies when lxml is used together | with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not | affected. It allows triggering crashes through forged input data, | given a vulnerable code sequence in the application. The vulnerability | is caused by the iterwalk function (also used by the canonicalize | function). Such code shouldn't be in wide-spread use, given that | parsing + iterwalk would usually be replaced with the more efficient | iterparse function. However, an XML converter that serialises to C14N | would also be vulnerable, for example, and there are legitimate use | cases for this code sequence. If untrusted input is received (also | remotely) and processed via iterwalk function, a crash can be | triggered. https://huntr.dev/bounties/8264e74f-edda-4c40-9956-49de635105ba/ https://github.com/lxml/lxml/commit/86368e9cf70a0ad23cccd5ee32de847149af0c6f (lxml-4.9.1) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-2309 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2309 Please adjust the affected versions in the BTS as needed.
