oss-sec mailing list archives
CVE request: Stack exhaustion in libxml2 parsing xml files in recover mode
From: Gustavo Grieco <gustavo.grieco () gmail com>
Date: Mon, 21 Mar 2016 10:57:51 -0300
Hello, We found a denegation of service parsing a specially crafted xml in libxml2 if recover mode is used. It was reported to the libxml2 bug tracker some time ago but the maintainers are quite busy, so they haven't fixed it. $ gdb --args xmllint --recover no-recover.xml ... Program received signal SIGSEGV, Segmentation fault. _int_malloc (av=0x7ffff7826760 <main_arena>, bytes=2) at malloc.c:3302 3302 malloc.c: No such file or directory. (gdb) bt #0 _int_malloc (av=0x7ffff7826760 <main_arena>, bytes=2) at malloc.c:3302 #1 0x00007ffff74ea7b0 in __GI___libc_malloc (bytes=2) at malloc.c:2891 #2 0x00007ffff78d9c19 in xmlStrndup__internal_alias (cur=0x555556888570 "b", len=1) at ../../xmlstring.c:45 #3 0x00007ffff7882800 in xmlNewReference__internal_alias (doc=doc@entry=0x55555577c000, name=name@entry=0x555556888570 "b") at ../../tree.c:2609 #4 0x00007ffff78856f7 in xmlStringGetNodeList__internal_alias (doc=doc@entry=0x55555577c000, value=<optimized out>) at ../../tree.c:1583 #5 0x00007ffff788592c in xmlStringGetNodeList__internal_alias (doc=doc@entry=0x55555577c000, value=<optimized out>) at ../../tree.c:1591 #6 0x00007ffff788592c in xmlStringGetNodeList__internal_alias (doc=doc@entry=0x55555577c000, value=<optimized out>) at ../../tree.c:1591 .... A reproducer is available upon request. Please assign a CVE. Regards, Gus.
Current thread:
- CVE request: Stack exhaustion in libxml2 parsing xml files in recover mode Gustavo Grieco (Mar 21)
- Re: CVE request: Stack exhaustion in libxml2 parsing xml files in recover mode cve-assign (Mar 21)
- Re: Re: CVE request: Stack exhaustion in libxml2 parsing xml files in recover mode Murphy, Grant (Mar 21)
- Re: CVE request: Stack exhaustion in libxml2 parsing xml files in recover mode cve-assign (Mar 21)