GNOME Bugzilla – Bug 708205
CVE-2012-2871
Last modified: 2013-09-17 09:13:42 UTC
The libxml2 2.9.0-rc1 and earlier, as used in Google Chrome before 21.0.1180.89, does not properly support a cast of an unspecified variable during handling of XSL transforms, which allows remote attackers to cause a denial of service or possibly have unknown other impact via a crafted document, related to the _xmlNs data structure in include/libxml/tree.h. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2871 http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=8780c5ddf2916bbd42fc67b79c286652aebb1546 It seems to have not been upstreamed yet. The following commit supposedly corrects the issue: http://src.chromium.org/viewvc/chrome/trunk/src/third_party/libxml/src/include/libxml/tree.h?r1=56276&r2=149930
Patch modifies the library header public structure, hence breaking ABI. Totally unacceptable. When Chris Evans discussed the bug i proposed a fix at the right place and that one was commited upstream. if you can reproduce with current upstream to provide the data for reproducing and reopen the bug, i'm closing it as invalid as the bug was fixed differently. Daniel
Some context and where/how things were properly fixed: http://code.google.com/p/chromium/issues/detail?id=138673 ------------------------------------------------ Fix looks broken to me, it change the node size for no good reason. The bug is in libxslt, the fix is there http://git.gnome.org/browse/libxslt/commit/?id=937ba2a3eb42d288f53c8adc211bd1122869f0bf and to not fail on xmlUnlinkNode for namespace node which is also a bug http://git.gnome.org/browse/libxml2/commit/?id=6ca24a39d0eb7fd7378a5bc8be3286bf745a36ba Adding a string named children in a namespace node is really not a proper fix for this issue, Daniel
For reference, those commits are in libxml2 2.9.0 and libxslt 1.1.27.