libxml2 Type Confusion Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in libxml2. The issue arises when the library processes XML documents validated by XML Schema Definitions (XSD) that contain internal entity references. This flaw creates a type confusion error, causing applications to crash and making systems unavailable. The vulnerability can be exploited by providing a maliciously crafted document that takes advantage of this flaw during entity expansion, particularly when streaming XSD validation is active.

Impact

Exploitation of this vulnerability causes a segmentation fault (SIGSEGV) by dereferencing a confused pointer, leading to a crash. This behavior disrupts normal application operation, causing a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by using libxml2's XML parser with a document that includes an internal entity reference, validated against any XSD schema. This can be done using the 'xmlTextReader' API with the 'XML_PARSE_NOENT' option, which disables entity expansion, or through the 'lxml' Python library, which uses 'libxml2' under the hood. The crash occurs during the first read operation after the entity reference is processed, due to the incorrect handling of the SAX callback user data.

Remediation

Users can update to the latest version of libxml2, where this vulnerability has been fixed. Red Hat users should refer to the Red Hat Update Management documentation for guidance on applying the update.