Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CACn5sdS+8Hc+VOm3zX7k2dE2UYj6kuCH4ZmZqtc-WbXca=n9vQ@mail.gmail.com>
Date: Fri, 6 May 2016 17:07:01 +0200
From: Gustavo Grieco <gustavo.grieco@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE request: an invalid pointer read in mini-xml 2.7

Hi,

An invalid pointer read located in a vsnprintf call in mini-xml 2.7 (
https://www.msweet.org/projects.php?Z3) was found:

$ gdb --args ./testmxml jezrijgasv.xml.-5377691366552468283
...
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff48b3a03 in _IO_vfprintf_internal (s=s@...ry=0x7fffffff9970,
format=<optimized out>,
    format@...ry=0x40d900 "<%s> cannot be a second root node after <%s>",
ap=ap@...ry=0x7fffffff9b10) at vfprintf.c:1661
1661    vfprintf.c: No such file or directory.
(gdb) bt
#0  0x00007ffff48b3a03 in _IO_vfprintf_internal (s=s@...ry=0x7fffffff9970,
format=<optimized out>,
    format@...ry=0x40d900 "<%s> cannot be a second root node after <%s>",
ap=ap@...ry=0x7fffffff9b10) at vfprintf.c:1661
#1  0x00007ffff4971235 in ___vsnprintf_chk (s=s@...ry=0x7fffffff9b50 "<b>
cannot be a second root node after <\002", maxlen=<optimized out>,
    maxlen@...ry=1024, flags=flags@...ry=1, slen=slen@...ry=1024,
format=format@...ry=0x40d900 "<%s> cannot be a second root node after
<%s>",
    args=args@...ry=0x7fffffff9b10) at vsnprintf_chk.c:63
#2  0x000000000040a3c0 in vsnprintf (__ap=0x7fffffff9b10, __fmt=0x40d900
"<%s> cannot be a second root node after <%s>", __n=1024,
    __s=0x7fffffff9b50 "<b> cannot be a second root node after <\002") at
/usr/include/x86_64-linux-gnu/bits/stdio2.h:77
#3  mxml_error (format=0x40d900 "<%s> cannot be a second root node after
<%s>") at mxml-private.c:86
#4  0x0000000000405a74 in mxml_load_data (top=top@...ry=0x0,
p=p@...ry=0x60360000fd80,
cb=cb@...ry=0x402863 <type_cb>,
    getc_cb=getc_cb@...ry=0x404c78 <mxml_file_getc>, sax_cb=sax_cb@...ry=0x0,
sax_data=sax_data@...ry=0x0) at mxml-file.c:1662
#5  0x00000000004079d0 in mxmlLoadFile (top=top@...ry=0x0,
fp=fp@...ry=0x60360000fd80,
cb=cb@...ry=0x402863 <type_cb>) at mxml-file.c:199
#6  0x0000000000402166 in main (argc=<optimized out>, argv=0x7fffffffe4f8)
at testmxml.c:473

Fortunately, this issue is fixed in mini-xml 2.9. A reproducer is available
upon request. Please assign a CVE if necesary.

Regards,
Gustavo.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.