GNOME Bugzilla – Bug 549087
gdmgreeter segfault
Last modified: 2008-10-20 14:26:39 UTC
Hey, I'm getting following segfault with gdmgreeter from gdm-2.20.7 Core was generated by `/usr/libexec/gdmgreeter'. Program terminated with signal 11, Segmentation fault. [New process 24277]
+ Trace 205559
Apparently seems to be caused by recent security patch in libxml2.
Yes, a security patch that I applied to Gentoo Linux libxml2-2.6.32 and the patch is off of CVE probably, not libxml2 upstream. Assessing the situation now. Our bug for libxml2 security is http://bugs.gentoo.org/show_bug.cgi?id=234099 and the patch we applied that broke it (confirmed with a downgrade) is http://bugs.gentoo.org/attachment.cgi?id=162889
The patch we are applying is identical to what was applied to libxml2 SVN after checking. Just line numbers are shifted for some files due to other changes in SVN.
The crash didn't occur also when I downgraded librsvg from 2.22.2 to 2.20.0.
Seems like Daniel is already aware of this per https://bugzilla.redhat.com/show_bug.cgi?id=459830
Yes and I think librsvg made a big mistake by not using the libxml2 APIs to allocate an entity node. So I plan to keep the given bug fix in libxml2-2.7.0 probably out next week, but to avoid the problem in librsvg it really should be fixed to use libxml2 allocation APIs (or explain why they can't use libxml2 APIs which I would try to fix). I still consider this as much a librsvg bug as a libxml2 problem. Reassigning to librsvg so that rsvg_entity_decl() is fixed to call xmlAddDocEntity() or xmlAddDtdEntity() possibly with a first NULL arg Daniel
We do need a upstream supported ABI compatible security fix for 2.6 though... I see some in the redhat bug, which should go to libxml2-2.6? That isn't to say I'm happy about an ABI break in 2.7, at least not if that doesn't go along with a major library soname version bump.
soname bump ... no way, sorry, no way I will keep the ABI in 2.7.0 I will provide you an xmlNewEntity() you will be able to use but I require that you fix librsvg code with that new entry point when 2.7.0 is fixed And I will note that the xmlEntity structure had grown between 2.6.26 and 2.6.32 (adding the checked field) and nobody complained then.
Patches to librsvg are welcomed.
Created attachment 118998 [details] [review] Uses xmlNewEntity for libxml >= 2.7 When compiled with libxml >= 2.7, this patch uses the new xmlNewEntity call. Compiling with < 2.7 uses the old code.
from the distance, that patch seems to do the right thing, except I think you still need to deallocate the entities since they don't seems linked to a document self->priv->entities cleanup should be maintained but just modified to use xmlFreeNode() on them. Daniel
Thanks, Tom, DV. I committed the patch with a change to use xmlFreeNode. I don't use libxml2 >= 2.7, so I didn't personally test that part, but trust that Tom's tested it and that DV's cursory look at the patch is a good first approximation of correctness.