| Summary: | <dev-libs/libxml2-2.9.4-r3: null pointer dereference when parsing a xml file using recover mode (CVE-2017-5969) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | gnome |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.openwall.com/lists/oss-security/2016/11/05/3 | ||
| See Also: | https://bugzilla.gnome.org/show_bug.cgi?id=778519 | ||
| Whiteboard: | A3 [glsa cve] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 623206 | ||
| Bug Blocks: | |||
Patch for this issue have been pushed in libxml-2.9.4-r2. Please note that: * patches where cherry-picked from upstream master according to information found in this ticket, some patches were harder to find due to upstream blocking access to it. * unittests in the ebuild are actually not being run for a long time certainly due to a problem when porting to multilib. Maybe it existed before, didn't check yet. Anyway, as lots of other security related fixes are pending an upstream release, I pushed this as a stop gap until I get more time to do a proper snapshot and fix these unittests issues. This issue was resolved and addressed in GLSA 201711-01 at https://security.gentoo.org/glsa/201711-01 by GLSA coordinator Christopher Diaz Riveros (chrisadr). |
From ${URL} : $ xmllint --recover crash-libxml2-recover.xml ==27646==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000004fbd88 bp 0x7ffc3345dff0 sp 0x7ffc3345dfd0 T0) #0 0x4fbd87 in xmlDumpElementContent /home/g/Work/Code/libxml2-2.9.4/valid.c:1181 #1 0x4fbcd5 in xmlDumpElementContent /home/g/Work/Code/libxml2-2.9.4/valid.c:1177 #2 0x4fe5ff in xmlDumpElementDecl /home/g/Work/Code/libxml2-2.9.4/valid.c:1706 #3 0x72e714 in xmlBufDumpElementDecl /home/g/Work/Code/libxml2-2.9.4/xmlsave.c:501 #4 0x73048f in xmlNodeDumpOutputInternal /home/g/Work/Code/libxml2-2.9.4/xmlsave.c:939 #5 0x72fc47 in xmlNodeListDumpOutput /home/g/Work/Code/libxml2-2.9.4/xmlsave.c:825 #6 0x72f6d5 in xmlDtdDumpOutput /home/g/Work/Code/libxml2-2.9.4/xmlsave.c:749 #7 0x73038f in xmlNodeDumpOutputInternal /home/g/Work/Code/libxml2-2.9.4/xmlsave.c:931 #8 0x732412 in xmlDocContentDumpOutput /home/g/Work/Code/libxml2-2.9.4/xmlsave.c:1234 #9 0x735883 in xmlSaveDoc /home/g/Work/Code/libxml2-2.9.4/xmlsave.c:1936 #10 0x40ba0f in parseAndPrintFile /home/g/Work/Code/libxml2-2.9.4/xmllint.c:2712 #11 0x411eb6 in main /home/g/Work/Code/libxml2-2.9.4/xmllint.c:3767 #12 0x7f23dcd4c290 in __libc_start_main (/usr/lib/libc.so.6+0x20290) #13 0x4032b9 in _start (/home/g/Work/Code/libxml2-2.9.4/xmllint+0x4032b9) A reproducer is attached. It is interesting to note that the developers of libxml2 strongly recommend not to use recover mode to parse untrusted inputs. Please assign a CVE if suitable. Regards, Gustavo. [ CONTENT OF TYPE text/html SKIPPED ] <?xml version="1.0"?> <!DOCTYPE root [ <!ELEMENT root (a,b)> <!ELEMENT a EMPTY> <!ELEMENT b (#PCDATA|c)* > <!ELEMENT c ANY> <!ELEMENT d ANY> <!ELEMENT e ANY> <!ELEMENT f ANY> <!--* test all pble children,cp,choice,seq patterns in P47,P48,P49,P--> <!ELEMENT child0 (a)> <!ELEMENT child1 (a|b|c)> <!ELEMENT child2 (a ,b,b?,a*,c,c,a,a,b+,c ) > <!ELEMENT child3 (a+|b)? > <!ELEMENT child4 (a, (b|cp+, (a|d)?, (e|f)* )?> <!ELEMENT child5 ( (a,b) | c? | ((d|e),b,c) )* > <!ELEMENT child5_1 ( (a�b)* | (c,b)? | (d,a)+ | ((e|f),b,c) )* > <!ELEMENT child6 (a,b,c)*> <!ELEMENT child7 ((a,b)|c*|((d|e),b,c) )+ > <!ELEMENT child8 ( a, (bb), b)+> ]> <root><a/><b> <c></c > content of b element </b></root> <!--* test: tests P47,P48,P49,P50*--> @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.