An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the 0 value).
Weakness
The product calls free() twice on the same memory address.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Libxml2 | Xmlsoft | * | 2.10.4 (excluding) |
| Red Hat Enterprise Linux 8 | RedHat | libxml2-0:2.9.7-16.el8_8.1 | * |
| Red Hat Enterprise Linux 8 | RedHat | libxml2-0:2.9.7-16.el8_8.1 | * |
| Red Hat Enterprise Linux 8.6 Extended Update Support | RedHat | libxml2-0:2.9.7-13.el8_6.4 | * |
| Red Hat Enterprise Linux 9 | RedHat | libxml2-0:2.9.13-3.el9_2.1 | * |
| Red Hat Enterprise Linux 9 | RedHat | libxml2-0:2.9.13-3.el9_2.1 | * |
| Text-Only JBCS | RedHat | libxml2 | * |
| Libxml2 | Ubuntu | bionic | * |
| Libxml2 | Ubuntu | esm-infra-legacy/trusty | * |
| Libxml2 | Ubuntu | esm-infra/bionic | * |
| Libxml2 | Ubuntu | esm-infra/focal | * |
| Libxml2 | Ubuntu | esm-infra/xenial | * |
| Libxml2 | Ubuntu | focal | * |
| Libxml2 | Ubuntu | jammy | * |
| Libxml2 | Ubuntu | kinetic | * |
| Libxml2 | Ubuntu | lunar | * |
| Libxml2 | Ubuntu | trusty | * |
| Libxml2 | Ubuntu | trusty/esm | * |
| Libxml2 | Ubuntu | xenial | * |
Potential Mitigations
References
- https://gitlab.gnome.org/GNOME/libxml2/-/issues/510
- https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.4
- https://lists.debian.org/debian-lts-announce/2023/04/msg00031.html
- https://security.netapp.com/advisory/ntap-20230601-0006/
- https://gitlab.gnome.org/GNOME/libxml2/-/issues/510
- https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.4
- https://lists.debian.org/debian-lts-announce/2023/04/msg00031.html
- https://security.netapp.com/advisory/ntap-20230601-0006/