Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 2 Nov 2015 08:24:10 -0300
From: Gustavo Grieco <>
Subject: CVE request: DoS in libxml2 if xz is enabled


We found a denegation of service parsing a specially crafted xml in libxml2
if xz support is enabled. It affects version 2.9.1 and probably others.
Find attached a xml that never finishes the parsing process:

gdb --quiet --args xmllint /tmp/test.xz
Reading symbols from xmllint...(no debugging symbols found)...done.
(gdb) run
Starting program: /usr/bin/xmllint /tmp/test.xz
Program received signal SIGINT, Interrupt.
0xb7f3e63c in xz_decomp (state=state@...ry=0x8001cff0) at ../../xzlib.c:509
509 ../../xzlib.c: No such file or directory.
(gdb) bt
#0  0xb7f3e63c in xz_decomp (state=state@...ry=0x8001cff0) at
#1  0xb7f3ea25 in xz_make (state=<optimized out>) at ../../xzlib.c:603
#2  0xb7f3f3e7 in __libxml2_xzread (file=file@...ry=0x8001cff0,
buf=buf@...ry=0x8001d190, len=len@...ry=4000) at ../../xzlib.c:694
#3  0xb7e87dfb in xmlXzfileRead (context=0x8001cff0, buffer=0x8001d190 "",
len=4000) at ../../xmlIO.c:1421
#4  0xb7e89aaa in xmlParserInputBufferGrow__internal_alias (in=0x8001d140,
len=4000, len@...ry=250) at ../../xmlIO.c:3317
#5  0xb7e5af21 in xmlParserInputGrow__internal_alias (in=0x8001f198,
len=len@...ry=250) at ../../parserInternals.c:320
#6  0xb7e60581 in xmlGROW (ctxt=ctxt@...ry=0x8001c258) at
#7  0xb7e72d49 in xmlParseDocument__internal_alias (ctxt=ctxt@...ry=0x8001c258)
at ../../parser.c:10672
#8  0xb7e731a0 in xmlDoRead (ctxt=0x8001c258, URL=0x0, encoding=0x0,
options=4259840, reuse=0) at ../../parser.c:15242
#9  0x80009fc8 in ?? ()
#10 0x80006887 in main ()

Upstream is working to fix this issue. This test case was found using afl.

Content of type "text/html" skipped

Download attachment "test.xz" of type "application/x-xz" (28 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ