Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 6 May 2016 17:07:01 +0200
From: Gustavo Grieco <gustavo.grieco@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE request: an invalid pointer read in mini-xml 2.7

Hi,

An invalid pointer read located in a vsnprintf call in mini-xml 2.7 (
https://www.msweet.org/projects.php?Z3) was found:

$ gdb --args ./testmxml jezrijgasv.xml.-5377691366552468283
...
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff48b3a03 in _IO_vfprintf_internal (s=s@...ry=0x7fffffff9970,
format=<optimized out>,
    format@...ry=0x40d900 "<%s> cannot be a second root node after <%s>",
ap=ap@...ry=0x7fffffff9b10) at vfprintf.c:1661
1661    vfprintf.c: No such file or directory.
(gdb) bt
#0  0x00007ffff48b3a03 in _IO_vfprintf_internal (s=s@...ry=0x7fffffff9970,
format=<optimized out>,
    format@...ry=0x40d900 "<%s> cannot be a second root node after <%s>",
ap=ap@...ry=0x7fffffff9b10) at vfprintf.c:1661
#1  0x00007ffff4971235 in ___vsnprintf_chk (s=s@...ry=0x7fffffff9b50 "<b>
cannot be a second root node after <\002", maxlen=<optimized out>,
    maxlen@...ry=1024, flags=flags@...ry=1, slen=slen@...ry=1024,
format=format@...ry=0x40d900 "<%s> cannot be a second root node after
<%s>",
    args=args@...ry=0x7fffffff9b10) at vsnprintf_chk.c:63
#2  0x000000000040a3c0 in vsnprintf (__ap=0x7fffffff9b10, __fmt=0x40d900
"<%s> cannot be a second root node after <%s>", __n=1024,
    __s=0x7fffffff9b50 "<b> cannot be a second root node after <\002") at
/usr/include/x86_64-linux-gnu/bits/stdio2.h:77
#3  mxml_error (format=0x40d900 "<%s> cannot be a second root node after
<%s>") at mxml-private.c:86
#4  0x0000000000405a74 in mxml_load_data (top=top@...ry=0x0,
p=p@...ry=0x60360000fd80,
cb=cb@...ry=0x402863 <type_cb>,
    getc_cb=getc_cb@...ry=0x404c78 <mxml_file_getc>, sax_cb=sax_cb@...ry=0x0,
sax_data=sax_data@...ry=0x0) at mxml-file.c:1662
#5  0x00000000004079d0 in mxmlLoadFile (top=top@...ry=0x0,
fp=fp@...ry=0x60360000fd80,
cb=cb@...ry=0x402863 <type_cb>) at mxml-file.c:199
#6  0x0000000000402166 in main (argc=<optimized out>, argv=0x7fffffffe4f8)
at testmxml.c:473

Fortunately, this issue is fixed in mini-xml 2.9. A reproducer is available
upon request. Please assign a CVE if necesary.

Regards,
Gustavo.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.