Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20151121101253.20323cd3@pc1>
Date: Sat, 21 Nov 2015 10:12:53 +0100
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Libxml2: Several out of bounds reads

https://blog.fuzzing-project.org/28-Libxml2-Several-out-of-bounds-reads.html

Libxml2: Several out of bounds reads

I discovered several out of bounds read issues in Libxml2. The upstream
developers have just released version 2.9.3, which fixes all relevant
issues.

A malformed XML file can cause a heap out of bounds read access in the
function xmlParseXMLDecl.
https://bugzilla.gnome.org/show_bug.cgi?id=751603
Upstream bug #751603 (sample input attached)
https://git.gnome.org/browse/libxml2/commit/?id=9aa37588ee78a06ca1379a9d9356eab16686099c
Git commit / fix

A second, very similar issue in the same function xmlParseXMLDecl.
https://bugzilla.gnome.org/show_bug.cgi?id=751631
Upstream bug #751631 (sample input attached)
https://git.gnome.org/browse/libxml2/commit/?id=709a952110e98621c9b78c4f26462a9d8333102e
Git commit / fix

A malformed XML file can cause a global out of bounds read access in
the function xmlNextChar. This only affected the git code and was never
an issue in any release version. Upstream bug #751643 (sample input
attached)

All three issues above were found with american fuzzy lop and address
sanitizer.

Some inputs can cause a stack out of bounds read. This was found by
running the test suite with Address Sanitizer (make check). The issue
was re-found by fuzzing independently by Hugh Davenport:
https://bugzilla.gnome.org/show_bug.cgi?id=752191
Upstream bug #752191
https://bugzilla.gnome.org/show_bug.cgi?id=756372
Upstream bug #756372 (duplicate)
https://git.gnome.org/browse/libxml2/commit/?id=8fb4a770075628d6441fb17a1e435100e2f3b1a2
Git commit / fix
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8242
CVE-2015-8242

Unfortunately there is another issue affecting the test suite (also
documented in upstream bug #752191) that isn't fixed yet, but the bug
is in the code of the test itself, therefore it's not affecting the use
of Libxml2.

A large number of other issues have been fixed, many of them found with
american fuzzy lop and libfuzzer. The release notes of 2.9.3 mention
10 CVEs. If you use Libxml2 please update as soon as possible.
http://www.xmlsoft.org/news.html

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.