Investigate whether CVE-2022-2309 (or similar) is present

[flavorjones]

This issue has been opened to track the analysis of a CVE reported in the python lxml library, and whether that bug may be triggerable via Nokogiri.

Related links:

• original vuln report: https://huntr.dev/bounties/8264e74f-edda-4c40-9956-49de635105ba/
• lxml patch and test: lxml/lxml@86368e9
• CVE: https://nvd.nist.gov/vuln/detail/CVE-2022-2309
• upstream libxml2 issues:
  • lxml issue: https://gitlab.gnome.org/GNOME/libxml2/-/issues/378
  • https://gitlab.gnome.org/GNOME/libxml2/-/issues/385#note_1520963
• upstream libxml2 patches:
  • https://gitlab.gnome.org/GNOME/libxml2/-/commit/5930fe01963136ab92125feec0c6204d9c9225dc
  • https://gitlab.gnome.org/GNOME/libxml2/-/commit/a82ea25fc83f563c574ddb863d6c17d9c5abdbd2

[flavorjones]

I've been unable to exploit the underlying libxml2 memory issue using Nokogiri's API. The libxml2 client code for lxml is very different from nokogiri's and does not present the same primitives (a re-usable parser and tree walker).