[CVE-2024-40896] XXE protection broken in downstream code
Hello, I'm part of the LibreOffice project and we use libxml2 as an external library. Recently I upgraded it to 2.13 and it seems it has introduced a regression compared to libxml2 2.12.8 where CVE-2012-0037 can be exploited. Back in the day, we added a unittest to our source code to cover CVE-2012-0037 and it started to fail with https://gerrit.libreoffice.org/c/core/+/169327/comments/f0a76fdd_48f934d5 when libxml2 was upgraded, showing the content of /etc/passwd (Note: in order to reproduce it in LibreOffice, you have to build with --without-system-libxml ). You can find the PoC document in https://git.libreoffice.org/core/+/cdda6533b44333b18d3dc6306dfd0f7058e40b32/unoxml/qa/unit/data/cve_2012_0037.rdf Looking forward to hearing from you Xisco