oss-sec mailing list archives
CVE request: DoS in libxml2 if xz is enabled
From: Gustavo Grieco <gustavo.grieco () gmail com>
Date: Mon, 2 Nov 2015 08:24:10 -0300
Hello, We found a denegation of service parsing a specially crafted xml in libxml2 if xz support is enabled. It affects version 2.9.1 and probably others. Find attached a xml that never finishes the parsing process: gdb --quiet --args xmllint /tmp/test.xz Reading symbols from xmllint...(no debugging symbols found)...done. (gdb) run Starting program: /usr/bin/xmllint /tmp/test.xz ^C Program received signal SIGINT, Interrupt. 0xb7f3e63c in xz_decomp (state=state@entry=0x8001cff0) at ../../xzlib.c:509 509 ../../xzlib.c: No such file or directory. (gdb) bt #0 0xb7f3e63c in xz_decomp (state=state@entry=0x8001cff0) at ../../xzlib.c:509 #1 0xb7f3ea25 in xz_make (state=<optimized out>) at ../../xzlib.c:603 #2 0xb7f3f3e7 in __libxml2_xzread (file=file@entry=0x8001cff0, buf=buf@entry=0x8001d190, len=len@entry=4000) at ../../xzlib.c:694 #3 0xb7e87dfb in xmlXzfileRead (context=0x8001cff0, buffer=0x8001d190 "", len=4000) at ../../xmlIO.c:1421 #4 0xb7e89aaa in xmlParserInputBufferGrow__internal_alias (in=0x8001d140, len=4000, len@entry=250) at ../../xmlIO.c:3317 #5 0xb7e5af21 in xmlParserInputGrow__internal_alias (in=0x8001f198, len=len@entry=250) at ../../parserInternals.c:320 #6 0xb7e60581 in xmlGROW (ctxt=ctxt@entry=0x8001c258) at ../../parser.c:2075 #7 0xb7e72d49 in xmlParseDocument__internal_alias (ctxt=ctxt@entry=0x8001c258) at ../../parser.c:10672 #8 0xb7e731a0 in xmlDoRead (ctxt=0x8001c258, URL=0x0, encoding=0x0, options=4259840, reuse=0) at ../../parser.c:15242 #9 0x80009fc8 in ?? () #10 0x80006887 in main () Upstream is working to fix this issue. This test case was found using afl. Thanks!
Attachment:
test.xz
Description:
Current thread:
- CVE request: DoS in libxml2 if xz is enabled Gustavo Grieco (Nov 02)
- Re: CVE request: DoS in libxml2 if xz is enabled cve-assign (Nov 02)
- Re: CVE request: DoS in libxml2 if xz is enabled Gustavo Grieco (Nov 03)
- Re: CVE request: DoS in libxml2 if xz is enabled cve-assign (Nov 02)