Re: [xml] Release of libxml2 2.9.13

On 20/02/2022 20:50, Mike Dalessio wrote:
Is there any additional information about CVE-2022-23308 (other than the commit log) that would help downstream projects triage? Was there a CVSS score calculated or severity assigned?

In this case, the CVE record is managed by a third party. It should be made public soon, but I have no influence on that. In my personal opinion, the whole CVE system is severely flawed with regard to OSS projects. Basically, anyone can request a CVE ID for arbitrary projects without having to coordinate with maintainers.

It's often hard, if not impossible, to come up with meaningful CVSS scores for vulnerabilities in software libraries. If there's a flaw in a certain library function, it really depends on how this function used by downstream projects. If you look at major Linux distros, there are 500+ projects with a direct dependency on libxml2, and thousands with an indirect dependency. Most of them don't call the vulnerable functions at all, some others are libraries themselves, so it all depends on their users.

There are quite a few preconditions to be met to trigger a use-after-free in this particular case, so I'm not overly concerned. Even then, it seems anything but trivial come up with a serious exploit. But I'm not really an expert and you never can tell without auditing tens or hundreds of downstream projects. Besides, I only have limited resources to assess the impact of security issues, and it's always possible that I missed something.

Note that for some reason, GitLab truncates the commit message after ~1000 characters with no obvious way to expand it, at least on You can see the full commit message on the GitHub mirror:


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]