Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 582538 (CVE-2016-4483)

Summary: <dev-libs/libxml2-2.9.4: out-of-bounds read parsing an XML in libxml2 using recover mode
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: major CC: gnome
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2 [glsa cve]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2016-05-09 10:10:30 UTC
From ${URL} :

We found an out-of-bounds read parsing a specially crafted xml in libxml2
if recover mode is used. It affects all versions.  It was discovered before
by another guy but for some reason, never reported or fixed. Since upstream
is not responding, i think it is a good time to publish some details here.

$ xmllint -recover ohizsmaase.xml.-6355798974422201279
==2994== ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60040000d5d3 at pc 0x73320a bp 0x7fffffffc1e0 sp 0x7fffffffc1d8
READ of size 1 at 0x60040000d5d3 thread T0
0x60040000d5d3 is located 0 bytes to the right of 3-byte region

And backtrace is here:

#7  0x000000000073320a in xmlBufAttrSerializeTxtContent
(buf=0x600c0000a7c0, doc=0x601e0000ef50, attr=0x601000007ea0,
string=0x60040000d5d0 <incomplete sequence \341>) at xmlsave.c:2057
#8  0x000000000072af0b in xmlAttrSerializeContent (buf=0x600c0000a820,
attr=0x601000007ea0) at xmlsave.c:443
#9  0x000000000072c36c in xmlAttrDumpOutput (ctxt=0x601c0000ca60,
cur=0x601000007ea0) at xmlsave.c:780
#10 0x000000000072c3b2 in xmlAttrListDumpOutput (ctxt=0x601c0000ca60,
cur=0x601000007ea0) at xmlsave.c:797
#11 0x000000000072dc22 in xmlNodeDumpOutputInternal (ctxt=0x601c0000ca60,
cur=0x60180000b440) at xmlsave.c:1055
#12 0x000000000072ef8a in xmlDocContentDumpOutput (ctxt=0x601c0000ca60,
cur=0x601e0000ef50) at xmlsave.c:1234
#13 0x000000000073246c in xmlSaveDoc (ctxt=0x601c0000ca60,
doc=0x601e0000ef50) at xmlsave.c:1936
#14 0x000000000040a238 in parseAndPrintFile (filename=0x7fffffffe759
"ohizsmaase.xml.-6355798974422201279", rectxt=0x0) at xmllint.c:2689
#15 0x000000000040fe5e in main (argc=3, argv=0x7fffffffe4a8) at

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Pacho Ramos gentoo-dev 2016-05-21 12:04:44 UTC
Taking care that even three hours ago they fixed another security issue in master maybe we should way a bit instead of bumping/stabilizing  a new version per day :S
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2017-01-16 21:24:02 UTC
This issue was resolved and addressed in
 GLSA 201701-37 at
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2017-01-16 21:26:01 UTC
This issue was resolved and addressed in
 GLSA 201701-37 at
by GLSA coordinator Thomas Deutschmann (whissi).