Skip to content

Potential Vulnerability in Cloned Code#191

Merged
MrR0b0X merged 1 commit intoMolotovCherry:masterfrom
tlnguyen-smu:cve-req-2618
Dec 19, 2025
Merged

Potential Vulnerability in Cloned Code#191
MrR0b0X merged 1 commit intoMolotovCherry:masterfrom
tlnguyen-smu:cve-req-2618

Conversation

@tlnguyen-smu
Copy link

@tlnguyen-smu tlnguyen-smu commented Dec 16, 2025

This PR fixes a potential security vulnerability in xmlParseBalancedChunkMemoryRecover() that was cloned from https://gitlab.gnome.org/GNOME/libxml2 but did not receive the security patch.

Details:

Affected Function: xmlParseBalancedChunkMemoryRecover() in libxml2-2.9.9/parser.c
Original Fix: https://gitlab.gnome.org/GNOME/libxml2/-/commit/5a02583c7e683896d84878bd90641d8d9b0d0549

What this PR does:

This PR applies the same security patch that was applied to the original repository to eliminate the potential vulnerability in the cloned code.

References:

Please review and merge this PR to ensure your repository is protected against this potential vulnerability.

@lamntu
Fix memory leak in xmlParseBalancedChunkMemoryRecover
402b662 
When doc is NULL, namespace created in xmlTreeEnsureXMLDecl is bind to newDoc->oldNs, in this case, set newDoc->oldNs to NULL and free newDoc will cause a memory leak.
@MrR0b0X MrR0b0X merged commit bec4376 into MolotovCherry:master Dec 19, 2025
@tlnguyen-smu
Copy link
Author

tlnguyen-smu commented Dec 21, 2025

Hi @MrR0b0X, thanks for merging our PR. We plan to request a CVE for this issue. Just wanna make sure if you are OK with us proceeding with the CVE submission. Thank you!

@LEEKIYOON-SEC LEEKIYOON-SEC mentioned this pull request Mar 24, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tlnguyen-smu @MrR0b0X @lamntu