GNOME Bugzilla – Bug 748278
Concerns about CVE-2015-1819 fix
Last modified: 2021-07-05 13:20:47 UTC
The fix for CVE-2015-1819 in commit 213f1fe0d76d30eaed6e5853057defc43e6df2c9 causes libxml2 to return the empty string "" when the allocation limit is encountered while constructing the attribute value string. This allows one to create an XML document which has slightly different contents when parsed with different parsers. This can result in so-called interpretation conflicts and lead to security vulnerabilities if applications interact in particular ways. xmlTextReaderConstValue can return NULL on error for other reasons (although this is not documented), so callers still have to check for the error return value. A straight crash is usually less bad than triggering the OOM killer, so I don't think the cure is worse than the disease in this case.
I don't see the reason for the concern. And the minimal difference would be at least 10MBytes in size, hardly a way to sneak subtle changes. Daniel
GNOME is going to shut down bugzilla.gnome.org in favor of gitlab.gnome.org. As part of that, we are mass-closing older open tickets in bugzilla.gnome.org which have not seen updates for a longer time (resources are unfortunately quite limited so not every ticket can get handled). If you can still reproduce the situation described in this ticket in a recent and supported software version, then please follow https://wiki.gnome.org/GettingInTouch/BugReportingGuidelines and create a new ticket at https://gitlab.gnome.org/GNOME/libxml2/-/issues/ Thank you for your understanding and your help.