CVE-2023-29469

Name
CVE-2023-29469
Description
An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the '\0' value).
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.4
MISC https://gitlab.gnome.org/GNOME/libxml2/-/issues/510
MLIST https://lists.debian.org/debian-lts-announce/2023/04/msg00031.html
CONFIRM https://security.netapp.com/advisory/ntap-20230601-0006/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:* libxml2 >= None < 2.10.4

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
libxml2 3.17-main 2.10.4-r0 Carlo Landmeter <clandmeter@alpinelinux.org> fixed
qt5-qtwebengine 3.17-community 5.15.12-r4 Bart Ribbers <bribbers@disroot.org> fixed
libxml2 3.16-main 2.9.14-r2 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
libxml2 3.15-main 2.9.14-r2 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable