libxml2-2.9.13-3.el9.1

エラータID: AXSA:2023-6287:04

Release date: 
Thursday, August 3, 2023 - 07:21
Subject: 
libxml2-2.9.13-3.el9.1
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
Moderate
Description: 

The libxml2 library is a development toolbox providing the implementation of various XML standards.

Security Fix(es):

* libxml2: NULL dereference in xmlSchemaFixupComplexType (CVE-2023-28484)
* libxml2: Hashing of empty dict strings isn't deterministic (CVE-2023-29469)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2023-28484
In libxml2 before 2.10.4, parsing of certain invalid XSD schemas can lead to a NULL pointer dereference and subsequently a segfault. This occurs in xmlSchemaFixupComplexType in xmlschemas.c.
CVE-2023-29469
An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the '\0' value).

Solution: 

Update packages.

CVEs: 
CVE-2023-28484
In libxml2 before 2.10.4, parsing of certain invalid XSD schemas can lead to a NULL pointer dereference and subsequently a segfault. This occurs in xmlSchemaFixupComplexType in xmlschemas.c.
CVE-2023-29469
An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the '\0' value).
Additional Info: 

N/A

Download: 

SRPMS
  1. libxml2-2.9.13-3.el9.1.src.rpm
    MD5: 6eb10e5e91371de3e3e0188708e0d3f7
    SHA-256: 1826c6140e655d66b0b9a39bb18758ab66b8ef6826f343226f78cf0c6e63b149
    Size: 3.12 MB

Asianux Server 9 for x86_64
  1. libxml2-2.9.13-3.el9.1.i686.rpm
    MD5: cd91bfd8806674528b14a8eb930074dd
    SHA-256: 996b3075d79b0aa07c17682487395f655b97e6ea447e7b1c9380efdcc0244c73
    Size: 783.46 kB
  2. libxml2-2.9.13-3.el9.1.x86_64.rpm
    MD5: 6bfd3ec1931b91bbf46f3b7b2aa3af98
    SHA-256: 337e8490a623c42f20aa7eeeabd62b711814f2a12bcf2eb85461e3d56b1d4351
    Size: 745.63 kB
  3. libxml2-devel-2.9.13-3.el9.1.i686.rpm
    MD5: d98d14cb9f9e190467b5cff5021d6dbe
    SHA-256: 1eff0f093957a50f240a38de2067028053d6cf22584ea8dc16b0dc2e34c9d2a7
    Size: 827.25 kB
  4. libxml2-devel-2.9.13-3.el9.1.x86_64.rpm
    MD5: 7dca08d5b0b70e4e8c01e618411f54f1
    SHA-256: 7728d5e40bf439421d70cc5ecb27e6417f8472ac598970648163d4e997dba08d
    Size: 827.12 kB
  5. python3-libxml2-2.9.13-3.el9.1.x86_64.rpm
    MD5: 56ae60ff7b81e5a3fb6182cdc54568e4
    SHA-256: ff354bd4ae1adba93f90497012ba74f175857602158e498c17658e66cb8218de
    Size: 224.65 kB