After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 766414 - (CVE-2016-4483) CVE-2016-4483: out-of-bounds read parsing an XML in libxml2 using recover mode
(CVE-2016-4483)
CVE-2016-4483: out-of-bounds read parsing an XML in libxml2 using recover mode
Status: RESOLVED FIXED
Product: libxml2
Classification: Platform
Component: general
git master
Other Linux
: Normal normal
: ---
Assigned To: Daniel Veillard
libxml QA maintainers
https://marc.info/?l=oss-security&m=1...
Depends on:
Blocks:
 
 
Reported: 2016-05-14 08:01 UTC by Salvatore Bonaccorso
Modified: 2018-08-21 09:51 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
reproducer (464 bytes, text/xml)
2016-05-14 08:04 UTC, Salvatore Bonaccorso 		  Details
Patch for upstream (1.26 KB, patch)
2016-05-23 05:38 UTC, Daniel Veillard 		none Details | Review

Description Salvatore Bonaccorso 2016-05-14 08:01:53 UTC 
Gustavo Grieco reported the following on the oss-security mailinglist, where CVE-2016-4483 was assigned:

Hi,

We found an out-of-bounds read parsing a specially crafted xml in libxml2
if recover mode is used. It affects all versions.  It was discovered before
by another guy but for some reason, never reported or fixed. Since upstream
is not responding, i think it is a good time to publish some details here.

$ xmllint -recover ohizsmaase.xml.-6355798974422201279
...
==2994== ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60040000d5d3 at pc 0x73320a bp 0x7fffffffc1e0 sp 0x7fffffffc1d8
READ of size 1 at 0x60040000d5d3 thread T0
...
0x60040000d5d3 is located 0 bytes to the right of 3-byte region
[0x60040000d5d0,0x60040000d5d3)

And backtrace is here:

...

+ Trace 236245

  • #7 xmlBufAttrSerializeTxtContent
    at xmlsave.c line 2057
  • #8 xmlAttrSerializeContent
    at xmlsave.c line 443
  • #9 xmlAttrDumpOutput
    at xmlsave.c line 780
  • #10 xmlAttrListDumpOutput
    at xmlsave.c line 797
  • #11 xmlNodeDumpOutputInternal
    at xmlsave.c line 1055
  • #12 xmlDocContentDumpOutput
    at xmlsave.c line 1234
  • #13 xmlSaveDoc
    at xmlsave.c line 1936
  • #14 parseAndPrintFile
    at xmllint.c line 2689
  • #15 main
    at xmllint.c line 3739 

A reproducer is available upon request. Please assign a CVE if necesary.

Regards,
Gustavo.
Comment 1 Salvatore Bonaccorso 2016-05-14 08:04:02 UTC 
Created attachment 327854 [details]
reproducer
Comment 2 Daniel Veillard 2016-05-23 01:13:10 UTC 
First that's not in parsing, that's in saving the XML back.
Second the recover flag is not XML compliant and should never be used
by default in an automated fashion.

So it's not a critical issue, plus I don't have a patch yet, and a 15mn
debug session didn't allow me to find yet the root of the issue.

  So this is not making the release of 2.9.4,

Daniel
Comment 3 Daniel Veillard 2016-05-23 01:15:06 UTC 
BTW creating CVE with factually incorrect statements don't make me very
happy, I assume you understand why !

Daniel
Comment 4 Daniel Veillard 2016-05-23 05:38:12 UTC 
Created attachment 328364 [details] [review]
Patch for upstream

This is a problem exposed when trying to save a misformed content
that was forced to be generated by asking for the recover non conformant
mode. The generated tree is correct, but the embedded string is not
and we get that out of bound issue because the serializer assumed the
content was correct as through result of normal parsing checks.

  Not a security issue, but a bug triggered by doing an
explicitely dangerous and not recommended operation.

Daniel
Comment 5 David Kilzer 2016-05-25 17:05:03 UTC 
Fix committed to master in c97750d11bb8b6f3303e7131fe526a61ac65bcfd:

<https://git.gnome.org/browse/libxml2/commit/?id=c97750d11bb8b6f3303e7131fe526a61ac65bcfd>
Comment 6 Nick Wellnhofer 2018-08-21 09:51:44 UTC 
I'm making this bug public since it's been fixed for two years and hardly critical.