GNOME Bugzilla – Bug 757466
DoS in libxml2 if xz is enabled
Last modified: 2015-11-03 07:49:09 UTC
Created attachment 314626 [details] test case Hello, We found a denegation of service parsing a specially crafted xml in libxml2 if xz support is enabled. Find attached a xml that never finish the parsing process: gdb --quiet --args xmllint /tmp/test.xz Reading symbols from xmllint...(no debugging symbols found)...done. (gdb) run Starting program: /usr/bin/xmllint /tmp/test.xz ^C Program received signal SIGINT, Interrupt. 0xb7f3e63c in xz_decomp (state=state@entry=0x8001cff0) at ../../xzlib.c:509 509 ../../xzlib.c: No such file or directory. (gdb) bt
+ Trace 235666
Thanks!
Hi Gustavo, Switched the bug to private Hum, I can't reproduce this: thinkpad2:~/XML -> time /usr/bin/xmllint test.xz test.xz:1: parser error : Start tag expected, '<' not found ^ real 0m0.001s user 0m0.000s sys 0m0.001s thinkpad2:~/XML -> time ./xmllint test.xz test.xz:1: parser error : Start tag expected, '<' not found ^ real 0m0.007s user 0m0.001s sys 0m0.008s thinkpad2:~/XML -> what version are you using, on what system ? BTW I used to be at imag, graduated Ensimag in 92 and PhD at Bull-IMAG thereafter
Hello Daniel, I tested this issue in libxml2-2.9.1 (Ubuntu 14.04 x86 32-bit). Let me know if you cannot reproduce there. (i'm working for Verimag as a cotutelle phd student in computer security..)
I cannot reproduce with released version of 2.9.2 on Fedora nor with git head. I can reproduce it with libxml2-2.9.1-5.el7_1.2.x86_64 on CentOS 7 I see you posted it to http://seclists.org/oss-sec/2015/q4/206 too. BTW as a security guy you should not put the test in public directly in case of severe problems, those are kept under embargo in case it's a real security issue. And in that case it is a DoS, not nice, if you work in the field you should know better :-( Daniel
(In reply to Daniel Veillard from comment #3) > I cannot reproduce with released version of 2.9.2 on Fedora nor with git > head. > > I can reproduce it with libxml2-2.9.1-5.el7_1.2.x86_64 on CentOS 7 Great! > > I see you posted it to http://seclists.org/oss-sec/2015/q4/206 > too. > > BTW as a security guy you should not put the test in public directly in > case of severe problems, those are kept under embargo in case it's a real > security issue. And in that case it is a DoS, not nice, if you work in the > field you should know better :-( Yeap, i know about the embargo and that kind of stuff. IMHO, this issue is low priority. In fact, for such bugs, the oss-security list recommends to disclose them to speed-up the fixing process. I posted the test case because people request them all the time for minor issues, even from Red Hat!. I'm sorry if you think this was a severe issue, if you want i will privately report *all* the issues we found. > > Daniel
Created attachment 314670 [details] [review] Initial fix for the issue
For the record in 2.9.2 xz support is somehow broken which is why this is not reproducible on the latest release and git head, I have a separate patch to re-enable lzma support (problem introduced by commit f3f86ff465c92c79f834d7b981f3c7274a8bb5c8 for https://bugzilla.gnome.org/show_bug.cgi?id=711026 !) Daniel
Created attachment 314696 [details] [review] Patch to re-enable lzma support in head and 2.9.2
Since the bug was made public on seclist, no embargo, and reopening that bug, Fixed in https://git.gnome.org/browse/libxml2/commit/?id=f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 thanks for the report but next time for a DoS, do not disclose it immediately Daniel
Also pushed 18b8988511b0954272cac4d6c3e6724f9dbf6e0a to reenable xz support by default, Daniel