oss-sec mailing list archives
Re: Re: CVE request: Null pointer derefence parsing xml file using libxml 2.9.4 (in recover mode)
From: Gustavo Grieco <gustavo.grieco () gmail com>
Date: Wed, 8 Feb 2017 22:47:37 -0300
2017-02-08 19:32 GMT-03:00 Ian Zimmerman <itz () primate net>:
On 2016-11-05 10:04, Gustavo Grieco wrote:We found a null pointer dereference when parsing a xml file using recover mode. It was tested in libxml 2.9.4 (ArchLinux x86_64). To reproduce: $ xmllint --recover crash-libxml2-recover.xml ==27646==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000004fbd88 bp 0x7ffc3345dff0 sp 0x7ffc3345dfd0 T0) #0 0x4fbd87 in xmlDumpElementContent /home/g/Work/Code/libxml2-2.9.4/valid.c:1181 #1 0x4fbcd5 in xmlDumpElementContent /home/g/Work/Code/libxml2-2.9.4/valid.c:1177 #2 0x4fe5ff in xmlDumpElementDecl /home/g/Work/Code/libxml2-2.9.4/valid.c:1706 #3 0x72e714 in xmlBufDumpElementDecl /home/g/Work/Code/libxml2-2.9.4/xmlsave.c:501 #4 0x73048f in xmlNodeDumpOutputInternal /home/g/Work/Code/libxml2-2.9.4/xmlsave.c:939 #5 0x72fc47 in xmlNodeListDumpOutput /home/g/Work/Code/libxml2-2.9.4/xmlsave.c:825 #6 0x72f6d5 in xmlDtdDumpOutput /home/g/Work/Code/libxml2-2.9.4/xmlsave.c:749 #7 0x73038f in xmlNodeDumpOutputInternal /home/g/Work/Code/libxml2-2.9.4/xmlsave.c:931 #8 0x732412 in xmlDocContentDumpOutput /home/g/Work/Code/libxml2-2.9.4/xmlsave.c:1234 #9 0x735883 in xmlSaveDoc /home/g/Work/Code/libxml2-2.9.4/xmlsave.c:1936#10 0x40ba0f in parseAndPrintFile /home/g/Work/Code/libxml2-2.9.4/xmllint.c:2712 #11 0x411eb6 in main /home/g/Work/Code/libxml2-2.9.4/xmllint.c:3767 #12 0x7f23dcd4c290 in __libc_start_main (/usr/lib/libc.so.6+0x20290) #13 0x4032b9 in _start (/home/g/Work/Code/libxml2-2.9.4/xmllint+0x4032b9)Where did this one ever go? Is there a CVE? Is there a patch?
AFAIK: no patch, no CVE.
-- Please *no* private Cc: on mailing lists and newsgroups Personal signed mail: please _encrypt_ and sign Don't clear-text sign: http://cr.yp.to/smtp/8bitmime.html
Current thread:
- Re: CVE request: Null pointer derefence parsing xml file using libxml 2.9.4 (in recover mode) Ian Zimmerman (Feb 08)
- Re: Re: CVE request: Null pointer derefence parsing xml file using libxml 2.9.4 (in recover mode) Gustavo Grieco (Feb 08)
- Message not available