Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 572878 (CVE-2016-2073) - <dev-libs/libxml2-2.9.4: Out-of-bounds Read in the libxml2's htmlParseNameComplex() function
Summary: <dev-libs/libxml2-2.9.4: Out-of-bounds Read in the libxml2's htmlParseNameCom...
Status: RESOLVED FIXED
Alias: CVE-2016-2073
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: A2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-01-25 14:34 UTC by Agostino Sarubbo
Modified: 2017-01-16 21:25 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-01-25 14:34:56 UTC
From ${URL} :

Hello,
We find a vulnerability in the way libxml2's htmlParseNameComplex() function parsed certain xml file.
I was successful in reproducing this issuel in the latest version of libxml2(git clone git://git.gnome.org/libxml2).
HTMLparser.c line:2517 :

       return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));

"ctxt->input->cur - len"  cause Out-of-bounds Read.

Bug info:
ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60620000d8ff at pc 0x62f90d bp 0x7fffa1464060 sp 0x7fffa1464058
READ of size 1 at 0x60620000d8ff thread T0
    #0 0x62f90c (/home/r/libxml2/testHTML+0x62f90c)
    #1 0x631c40 (/home/r/libxml2/testHTML+0x631c40)
    #2 0x4eb94c (/home/r/libxml2/testHTML+0x4eb94c)
    #3 0x4eb09c (/home/r/libxml2/testHTML+0x4eb09c)
    #4 0x4ecdb4 (/home/r/libxml2/testHTML+0x4ecdb4)
    #5 0x4f993b (/home/r/libxml2/testHTML+0x4f993b)
    #6 0x4ff225 (/home/r/libxml2/testHTML+0x4ff225)
    #7 0x5008d1 (/home/r/libxml2/testHTML+0x5008d1)
    #8 0x50ba97 (/home/r/libxml2/testHTML+0x50ba97)
    #9 0x50bc89 (/home/r/libxml2/testHTML+0x50bc89)
    #10 0x403df6 (/home/r/libxml2/testHTML+0x403df6)
    #11 0x4046a0 (/home/r/libxml2/testHTML+0x4046a0)
    #12 0x7fb1877a5ec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4)
    #13 0x4025b8 (/home/r/libxml2/testHTML+0x4025b8)
0x60620000d8ff is located 1 bytes to the left of 4096-byte region [0x60620000d900,0x60620000e900)
allocated by thread T0 here:
    #0 0x7fb187e6541a (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0x1541a)
    #1 0x5aa0a2 (/home/r/libxml2/testHTML+0x5aa0a2)
    #2 0x67f4b0 (/home/r/libxml2/testHTML+0x67f4b0)
    #3 0x67f873 (/home/r/libxml2/testHTML+0x67f873)
    #4 0x67ed01 (/home/r/libxml2/testHTML+0x67ed01)
    #5 0x4e47cd (/home/r/libxml2/testHTML+0x4e47cd)
    #6 0x4eb704 (/home/r/libxml2/testHTML+0x4eb704)
    #7 0x4eb09c (/home/r/libxml2/testHTML+0x4eb09c)
    #8 0x4ecdb4 (/home/r/libxml2/testHTML+0x4ecdb4)
    #9 0x4f993b (/home/r/libxml2/testHTML+0x4f993b)
    #10 0x4ff225 (/home/r/libxml2/testHTML+0x4ff225)
    #11 0x5008d1 (/home/r/libxml2/testHTML+0x5008d1)
    #12 0x50ba97 (/home/r/libxml2/testHTML+0x50ba97)
    #13 0x50bc89 (/home/r/libxml2/testHTML+0x50bc89)
    #14 0x403df6 (/home/r/libxml2/testHTML+0x403df6)
    #15 0x4046a0 (/home/r/libxml2/testHTML+0x4046a0)
    #16 0x7fb1877a5ec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4)
Shadow bytes around the buggy address:
  0x0c0cbfff9ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0cbfff9ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0cbfff9ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0cbfff9af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0cbfff9b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0cbfff9b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x0c0cbfff9b20:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0cbfff9b30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0cbfff9b40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0cbfff9b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0cbfff9b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==20154== ABORTING



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2016-11-17 10:39:09 UTC
CVE-2016-2073 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2073):
  The htmlParseNameComplex function in HTMLparser.c in libxml2 allows
  attackers to cause a denial of service (out-of-bounds read) via a crafted
  XML document.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-19 00:20:02 UTC
Upstream solved this as part of the fix for bug 573820 (CVE-2016-1839), see https://github.com/GNOME/libxml2/commit/a820dbeac29d330bae4be05d9ecd939ad6b4aa33.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2017-01-16 21:23:40 UTC
This issue was resolved and addressed in
 GLSA 201701-37 at https://security.gentoo.org/glsa/201701-37
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2017-01-16 21:25:38 UTC
This issue was resolved and addressed in
 GLSA 201701-37 at https://security.gentoo.org/glsa/201701-37
by GLSA coordinator Thomas Deutschmann (whissi).