Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 3 May 2016 18:36:50 +0200
From: Gustavo Grieco <gustavo.grieco@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE request: out-of-bounds read parsing an XML in libxml2 using
 recover mode

 Hi,

We found an out-of-bounds read parsing a specially crafted xml in libxml2
if recover mode is used. It affects all versions.  It was discovered before
by another guy but for some reason, never reported or fixed. Since upstream
is not responding, i think it is a good time to publish some details here.

$ xmllint -recover ohizsmaase.xml.-6355798974422201279
...
==2994== ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60040000d5d3 at pc 0x73320a bp 0x7fffffffc1e0 sp 0x7fffffffc1d8
READ of size 1 at 0x60040000d5d3 thread T0
...
0x60040000d5d3 is located 0 bytes to the right of 3-byte region
[0x60040000d5d0,0x60040000d5d3)

And backtrace is here:

...
#7  0x000000000073320a in xmlBufAttrSerializeTxtContent
(buf=0x600c0000a7c0, doc=0x601e0000ef50, attr=0x601000007ea0,
string=0x60040000d5d0 <incomplete sequence \341>) at xmlsave.c:2057
#8  0x000000000072af0b in xmlAttrSerializeContent (buf=0x600c0000a820,
attr=0x601000007ea0) at xmlsave.c:443
#9  0x000000000072c36c in xmlAttrDumpOutput (ctxt=0x601c0000ca60,
cur=0x601000007ea0) at xmlsave.c:780
#10 0x000000000072c3b2 in xmlAttrListDumpOutput (ctxt=0x601c0000ca60,
cur=0x601000007ea0) at xmlsave.c:797
#11 0x000000000072dc22 in xmlNodeDumpOutputInternal (ctxt=0x601c0000ca60,
cur=0x60180000b440) at xmlsave.c:1055
#12 0x000000000072ef8a in xmlDocContentDumpOutput (ctxt=0x601c0000ca60,
cur=0x601e0000ef50) at xmlsave.c:1234
#13 0x000000000073246c in xmlSaveDoc (ctxt=0x601c0000ca60,
doc=0x601e0000ef50) at xmlsave.c:1936
#14 0x000000000040a238 in parseAndPrintFile (filename=0x7fffffffe759
"ohizsmaase.xml.-6355798974422201279", rectxt=0x0) at xmllint.c:2689
#15 0x000000000040fe5e in main (argc=3, argv=0x7fffffffe4a8) at
xmllint.c:3739

A reproducer is available upon request. Please assign a CVE if necesary.

Regards,
Gustavo.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.