Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 599192 (CVE-2017-5969) - <dev-libs/libxml2-2.9.4-r3: null pointer dereference when parsing a xml file using recover mode (CVE-2017-5969)
Summary: <dev-libs/libxml2-2.9.4-r3: null pointer dereference when parsing a xml file ...
Status: RESOLVED FIXED
Alias: CVE-2017-5969
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: A3 [glsa cve]
Keywords:
Depends on: CVE-2017-7375
Blocks:
  Show dependency tree
 
Reported: 2016-11-08 09:58 UTC by Agostino Sarubbo
Modified: 2017-11-10 03:48 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-11-08 09:58:31 UTC
From ${URL} :


$ xmllint --recover crash-libxml2-recover.xml

==27646==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000
(pc 0x0000004fbd88 bp 0x7ffc3345dff0 sp 0x7ffc3345dfd0 T0)
    #0 0x4fbd87 in xmlDumpElementContent
/home/g/Work/Code/libxml2-2.9.4/valid.c:1181
    #1 0x4fbcd5 in xmlDumpElementContent
/home/g/Work/Code/libxml2-2.9.4/valid.c:1177
    #2 0x4fe5ff in xmlDumpElementDecl
/home/g/Work/Code/libxml2-2.9.4/valid.c:1706
    #3 0x72e714 in xmlBufDumpElementDecl
/home/g/Work/Code/libxml2-2.9.4/xmlsave.c:501
    #4 0x73048f in xmlNodeDumpOutputInternal
/home/g/Work/Code/libxml2-2.9.4/xmlsave.c:939
    #5 0x72fc47 in xmlNodeListDumpOutput
/home/g/Work/Code/libxml2-2.9.4/xmlsave.c:825
    #6 0x72f6d5 in xmlDtdDumpOutput
/home/g/Work/Code/libxml2-2.9.4/xmlsave.c:749
    #7 0x73038f in xmlNodeDumpOutputInternal
/home/g/Work/Code/libxml2-2.9.4/xmlsave.c:931
    #8 0x732412 in xmlDocContentDumpOutput
/home/g/Work/Code/libxml2-2.9.4/xmlsave.c:1234
    #9 0x735883 in xmlSaveDoc /home/g/Work/Code/libxml2-2.9.4/xmlsave.c:1936
    #10 0x40ba0f in parseAndPrintFile
/home/g/Work/Code/libxml2-2.9.4/xmllint.c:2712
    #11 0x411eb6 in main /home/g/Work/Code/libxml2-2.9.4/xmllint.c:3767
    #12 0x7f23dcd4c290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
    #13 0x4032b9 in _start
(/home/g/Work/Code/libxml2-2.9.4/xmllint+0x4032b9)


A reproducer is attached. It is interesting to note that the developers of
libxml2 strongly recommend not to use recover mode to parse untrusted
inputs. Please assign a CVE if suitable.

Regards,
Gustavo.

[ CONTENT OF TYPE text/html SKIPPED ]

<?xml version="1.0"?>
<!DOCTYPE root [
  <!ELEMENT root (a,b)>
  <!ELEMENT a EMPTY>
  <!ELEMENT b (#PCDATA|c)* >
  <!ELEMENT c ANY>
  <!ELEMENT d ANY>
  <!ELEMENT e ANY>
  <!ELEMENT f ANY>
  <!--* test all pble children,cp,choice,seq patterns in P47,P48,P49,P-->
  <!ELEMENT child0 (a)>
  <!ELEMENT child1 (a|b|c)>
  <!ELEMENT child2 (a ,b,b?,a*,c,c,a,a,b+,c ) >
  <!ELEMENT child3 (a+|b)? >
  <!ELEMENT child4 (a, (b|cp+, (a|d)?, (e|f)* )?>
  <!ELEMENT child5 ( (a,b) | c? | ((d|e),b,c) )* >
  <!ELEMENT child5_1 ( (a�b)* | (c,b)? | (d,a)+ | ((e|f),b,c) )* >
  <!ELEMENT child6 (a,b,c)*>
  <!ELEMENT child7 ((a,b)|c*|((d|e),b,c) )+ >
  <!ELEMENT child8 ( a, (bb), b)+>  
]>
<root><a/><b>
   <c></c >
   content of b element
</b></root>
<!--* test: tests P47,P48,P49,P50*-->



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Gilles Dartiguelongue gentoo-dev 2017-08-23 07:33:22 UTC
Patch for this issue have been pushed in libxml-2.9.4-r2.

Please note that:
* patches where cherry-picked from upstream master according to information found in this ticket, some patches were harder to find due to upstream blocking access to it.
* unittests in the ebuild are actually not being run for a long time certainly due to a problem when porting to multilib. Maybe it existed before, didn't check yet.

Anyway, as lots of other security related fixes are pending an upstream release, I pushed this as a stop gap until I get more time to do a proper snapshot and fix these unittests issues.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2017-11-10 03:48:52 UTC
This issue was resolved and addressed in
 GLSA 201711-01 at https://security.gentoo.org/glsa/201711-01
by GLSA coordinator Christopher Diaz Riveros (chrisadr).