ff3b5ca2c1
Fix CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. https://github.com/lxml/lxml/blob/lxml-4.9.1/CHANGES.txt Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
7 lines
526 B
Plaintext
7 lines
526 B
Plaintext
# Locally computed
|
|
sha256 fe749b052bb7233fe5d072fcb549221a8cb1a16725c47c37e42b0b9cb3ff2c3f lxml-4.9.1.tar.gz
|
|
sha256 41d49dd406aa0e1548a6d5f21a30d6bf638b3cd96eb7289dd348d83ed2e40392 LICENSES.txt
|
|
sha256 69edb445c1335a8312d4c09271847e9956d84f0d9f724d125340cc3fad767b2a doc/licenses/BSD.txt
|
|
sha256 0497ae8138811ef4466ede653bab7a59feb3d3c14f9ed50fc33a00aeb5bec32e doc/licenses/elementtree.txt
|
|
sha256 56c5b13f28b78958890c36e3249c34c169041e42ebcfdce8080f3324ba2bf4de src/lxml/isoschematron/resources/rng/iso-schematron.rng
|