Security update for python-lxml SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2022:2878-1 Final 1 1 2022-08-23T11:51:31Z current 2022-08-23T11:51:31Z 2022-08-23T11:51:31Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python-lxml This update for python-lxml fixes the following issues: - CVE-2022-2309: Fixed NULL pointer dereference due to state leak between parser runs (bsc#1201253). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2022-2878,SUSE-SLE-Module-Public-Cloud-Unrestricted-15-2022-2878 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2022/suse-su-20222878-1/ Link for SUSE-SU-2022:2878-1 https://lists.suse.com/pipermail/sle-security-updates/2022-August/011973.html E-Mail link for SUSE-SU-2022:2878-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1201253 SUSE Bug 1201253 https://www.suse.com/security/cve/CVE-2022-2309/ SUSE CVE CVE-2022-2309 page SUSE Linux Enterprise Module for Public Cloud 15 python2-lxml-4.7.1-150100.6.6.1 python2-lxml-devel-4.7.1-150100.6.6.1 python2-lxml-doc-4.7.1-150100.6.6.1 python3-lxml-4.7.1-150100.6.6.1 python3-lxml-devel-4.7.1-150100.6.6.1 python3-lxml-doc-4.7.1-150100.6.6.1 python3-lxml-4.7.1-150100.6.6.1 as a component of SUSE Linux Enterprise Module for Public Cloud 15 python3-lxml-devel-4.7.1-150100.6.6.1 as a component of SUSE Linux Enterprise Module for Public Cloud 15 python3-lxml-doc-4.7.1-150100.6.6.1 as a component of SUSE Linux Enterprise Module for Public Cloud 15 NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. CVE-2022-2309 SUSE Linux Enterprise Module for Public Cloud 15:python3-lxml-4.7.1-150100.6.6.1 SUSE Linux Enterprise Module for Public Cloud 15:python3-lxml-devel-4.7.1-150100.6.6.1 SUSE Linux Enterprise Module for Public Cloud 15:python3-lxml-doc-4.7.1-150100.6.6.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20222878-1/ https://www.suse.com/security/cve/CVE-2022-2309.html CVE-2022-2309 https://bugzilla.suse.com/1201253 SUSE Bug 1201253