[xml/sgml-pkgs] Bug#496125: libxml2: security fix does double free / segfaults (breaks Gnome apps)

Christian Jaeger christian at jaeger.mine.nu
Fri Aug 22 20:05:12 UTC 2008

Package: libxml2
Version: 2.6.32.dfsg-2+lenny
Severity: grave
Justification: renders package unusable

See the thread "Lenny users: attn about Gnome/libxml2 breakage" on the
debian-user mailing list (at the time of writing this bug report, the
archive didn't index those mails yet so I can't give an url).

Here is the text:

    Today I did the usual dist-upgrade for my "testing" install, and
    it left me with a badly broken (from user's perspective)
    installation, because basically all Gnome applications stopped
    working. After a bit over 2 hours worth of investigation, I've
    found out how to solve the issue; since I first looked here and
    didn't find anything gnome related, I'm sending this to the list
    for the casual other victim.

    Symptom: Gnome apps just hang, without outputting anything to
    stdout/stderr (or .xsession-errors if started through the menu).

    Problem: the apps segfault inside libxml2, and thereafter enter a
    deadlocked state in a mutex (or in a select call); the former is
    apparently a bug in libxml2, the latter seems to be the Gnome
    functionality to pop up a windows which seems to have an issue on
    it's own (so it's really two bugs happening here, obscuring the
    investigation a bit.)

    Solution: install libxml2 from unstable; this is actually a
    downgrade (from libxml2 2.6.32.dfsg-2+lenny to
    2.6.32.dfsg-2). I.e. "apt-get install -t unstable
    libxml2/unstable", but you need to have the unstable sources in
    apt.sources and use apt pinning (I won't explain that here, check
    other sources).

to which I added:

    I realize that the suggestion I wrote about undoes a security
    fix. So, don't do what I said, do something different (what about
    going outside and enjoying a walk?). Well ok, the issue said to be
    fixed is only a DoS (of course ironically it introduces another
    DoS ;) .

    Thanks in advance to the security team for fixing the fixes.

The segfaults happen in libxml2 for both applications (Galeon and
gnome-appearance-properties) which I ran under GDB:

#0  0x00007f6038aa95c8 in _int_free (av=0x7f6038d829e0, mem=0xc9ad10) at malloc.c:4663
#1  0x00007f6038aa9a76 in *__GI___libc_free (mem=0xc9ad10) at malloc.c:3626
#2  0x00007f603c54f065 in xmlParseEntityDecl__internal_alias (ctxt=0xcb1700) at parser.c:4809
#3  0x00007f603c54f7e6 in xmlParseMarkupDecl__internal_alias (ctxt=0x7f6038d829e0) at parser.c:5947
#4  0x00007f603c54f87e in xmlParseInternalSubset (ctxt=0xcb1700) at parser.c:7310
#5  0x00007f603c550626 in xmlParseChunk__internal_alias (ctxt=0xcb1700, 
    chunk=<value optimized out>, size=<value optimized out>, terminate=0) at parser.c:10782
#6  0x00007f602bac4cd0 in ?? () from /usr/lib/librsvg-2.so.2
#7  0x00007f602bcf0d7c in ?? () from /usr/lib/gtk-2.0/2.10.0/loaders/svg_loader.so
#8  0x00007f603a5d4c99 in IA__gdk_pixbuf_loader_write (loader=0xb28ea0, 
    buf=0xc94180 "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<!-- Generator: Adobe Illustrator 10.0.3, SVG Export Plug-In . SVG Version: 3.0.0 Build 77)  -->\n<!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.0//EN\"    \"http://www.w3"..., count=4082, error=0xcc8528)
    at /scratch/build-area/gtk+2.0-2.12.11/gdk-pixbuf/gdk-pixbuf-loader.c:475
#9  0x00007f603ab9c530 in icon_info_ensure_scale_and_pixbuf (icon_info=0xcc84f0, 
    scale_only=<value optimized out>)
    at /scratch/build-area/gtk+2.0-2.12.11/gtk/gtkicontheme.c:2743
(you can see the rest of the backtraces in my mailing list email)

Here I'll also post the top of a "bt full", which indicates that glibc
complains about a double free:

#0  0x00007f4c4ab725c8 in _int_free (av=0x7f4c4ae4b9e0, mem=0xc9b570) at malloc.c:4663
        p = (mchunkptr) 0xc9b560
        size = 320
        nextchunk = (mchunkptr) 0xc9b6a0
        nextsize = 144
        prevsize = <value optimized out>
        bck = (mchunkptr) 0x11
        fwd = (mchunkptr) 0x0
        errstr = 0x7f4c4ac1a8d8 "double free or corruption (!prev)"
#1  0x00007f4c4ab72a76 in *__GI___libc_free (mem=0xc9b570) at malloc.c:3626
        ar_ptr = (mstate) 0x7f4c4ae4b9e0
        p = (mchunkptr) 0x1
        hook = <value optimized out>
#2  0x00007f4c4e618065 in xmlParseEntityDecl__internal_alias (ctxt=0xc9a450) at parser.c:4809
        name = (const xmlChar *) 0xc9b053 "ns_flows"
        value = (xmlChar *) 0xc9b570 "http://ns.adobe.com/Flows/1.0/"
        URI = <value optimized out>
        literal = (xmlChar *) 0x0
        ndata = <value optimized out>
        isParameter = 0
        orig = (xmlChar *) 0xc9b500 "http://ns.adobe.com/Flows/1.0/"
        skipped = <value optimized out>
        oldnbent = 0
#3  0x00007f4c4e6187e6 in xmlParseMarkupDecl__internal_alias (ctxt=0x7f4c4ae4b9e0) at parser.c:5947
#4  0x00007f4c4e61887e in xmlParseInternalSubset (ctxt=0xc9a450) at parser.c:7310
No locals.
No locals.
#5  0x00007f4c4e619626 in xmlParseChunk__internal_alias (ctxt=0xc9a450, 
    chunk=<value optimized out>, size=<value optimized out>, terminate=0) at parser.c:10782
        end_in_lf = 0
#6  0x00007f4c3db8dcd0 in ?? () from /usr/lib/librsvg-2.so.2
No symbol table info available.
#7  0x00007f4c3ddb9d7c in ?? () from /usr/lib/gtk-2.0/2.10.0/loaders/svg_loader.so
No symbol table info available.

(BTW there seem to be no debugging symbols available in any Debian
package for librsvg-2. (Is this a bug of the librsvg-2 package?))


-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (900, 'testing'), (800, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libxml2 depends on:
ii  libc6                  2.7-13            GNU C Library: Shared libraries
ii  zlib1g                 1: compression library - runtime

Versions of packages libxml2 recommends:
ii  xml-core                      0.11       XML infrastructure and XML catalog

libxml2 suggests no packages.

-- no debconf information

More information about the debian-xml-sgml-pkgs mailing list