[xml/sgml-pkgs] Bug#496125: libxml2: security fix does double free / segfaults (breaks Gnome apps)
Christian Jaeger
christian at jaeger.mine.nu
Fri Aug 22 20:05:12 UTC 2008
Package: libxml2
Version: 2.6.32.dfsg-2+lenny
Severity: grave
Justification: renders package unusable
See the thread "Lenny users: attn about Gnome/libxml2 breakage" on the
debian-user mailing list (at the time of writing this bug report, the
archive didn't index those mails yet so I can't give an url).
Here is the text:
Today I did the usual dist-upgrade for my "testing" install, and
it left me with a badly broken (from user's perspective)
installation, because basically all Gnome applications stopped
working. After a bit over 2 hours worth of investigation, I've
found out how to solve the issue; since I first looked here and
didn't find anything gnome related, I'm sending this to the list
for the casual other victim.
Symptom: Gnome apps just hang, without outputting anything to
stdout/stderr (or .xsession-errors if started through the menu).
Problem: the apps segfault inside libxml2, and thereafter enter a
deadlocked state in a mutex (or in a select call); the former is
apparently a bug in libxml2, the latter seems to be the Gnome
functionality to pop up a windows which seems to have an issue on
it's own (so it's really two bugs happening here, obscuring the
investigation a bit.)
Solution: install libxml2 from unstable; this is actually a
downgrade (from libxml2 2.6.32.dfsg-2+lenny to
2.6.32.dfsg-2). I.e. "apt-get install -t unstable
libxml2/unstable", but you need to have the unstable sources in
apt.sources and use apt pinning (I won't explain that here, check
other sources).
to which I added:
I realize that the suggestion I wrote about undoes a security
fix. So, don't do what I said, do something different (what about
going outside and enjoying a walk?). Well ok, the issue said to be
fixed is only a DoS (of course ironically it introduces another
DoS ;) .
Thanks in advance to the security team for fixing the fixes.
The segfaults happen in libxml2 for both applications (Galeon and
gnome-appearance-properties) which I ran under GDB:
#0 0x00007f6038aa95c8 in _int_free (av=0x7f6038d829e0, mem=0xc9ad10) at malloc.c:4663
#1 0x00007f6038aa9a76 in *__GI___libc_free (mem=0xc9ad10) at malloc.c:3626
#2 0x00007f603c54f065 in xmlParseEntityDecl__internal_alias (ctxt=0xcb1700) at parser.c:4809
#3 0x00007f603c54f7e6 in xmlParseMarkupDecl__internal_alias (ctxt=0x7f6038d829e0) at parser.c:5947
#4 0x00007f603c54f87e in xmlParseInternalSubset (ctxt=0xcb1700) at parser.c:7310
#5 0x00007f603c550626 in xmlParseChunk__internal_alias (ctxt=0xcb1700,
chunk=<value optimized out>, size=<value optimized out>, terminate=0) at parser.c:10782
#6 0x00007f602bac4cd0 in ?? () from /usr/lib/librsvg-2.so.2
#7 0x00007f602bcf0d7c in ?? () from /usr/lib/gtk-2.0/2.10.0/loaders/svg_loader.so
#8 0x00007f603a5d4c99 in IA__gdk_pixbuf_loader_write (loader=0xb28ea0,
buf=0xc94180 "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<!-- Generator: Adobe Illustrator 10.0.3, SVG Export Plug-In . SVG Version: 3.0.0 Build 77) -->\n<!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.0//EN\" \"http://www.w3"..., count=4082, error=0xcc8528)
at /scratch/build-area/gtk+2.0-2.12.11/gdk-pixbuf/gdk-pixbuf-loader.c:475
#9 0x00007f603ab9c530 in icon_info_ensure_scale_and_pixbuf (icon_info=0xcc84f0,
scale_only=<value optimized out>)
at /scratch/build-area/gtk+2.0-2.12.11/gtk/gtkicontheme.c:2743
...
(you can see the rest of the backtraces in my mailing list email)
Here I'll also post the top of a "bt full", which indicates that glibc
complains about a double free:
#0 0x00007f4c4ab725c8 in _int_free (av=0x7f4c4ae4b9e0, mem=0xc9b570) at malloc.c:4663
p = (mchunkptr) 0xc9b560
size = 320
nextchunk = (mchunkptr) 0xc9b6a0
nextsize = 144
prevsize = <value optimized out>
bck = (mchunkptr) 0x11
fwd = (mchunkptr) 0x0
errstr = 0x7f4c4ac1a8d8 "double free or corruption (!prev)"
#1 0x00007f4c4ab72a76 in *__GI___libc_free (mem=0xc9b570) at malloc.c:3626
ar_ptr = (mstate) 0x7f4c4ae4b9e0
p = (mchunkptr) 0x1
hook = <value optimized out>
#2 0x00007f4c4e618065 in xmlParseEntityDecl__internal_alias (ctxt=0xc9a450) at parser.c:4809
name = (const xmlChar *) 0xc9b053 "ns_flows"
value = (xmlChar *) 0xc9b570 "http://ns.adobe.com/Flows/1.0/"
URI = <value optimized out>
literal = (xmlChar *) 0x0
ndata = <value optimized out>
isParameter = 0
orig = (xmlChar *) 0xc9b500 "http://ns.adobe.com/Flows/1.0/"
skipped = <value optimized out>
oldnbent = 0
#3 0x00007f4c4e6187e6 in xmlParseMarkupDecl__internal_alias (ctxt=0x7f4c4ae4b9e0) at parser.c:5947
#4 0x00007f4c4e61887e in xmlParseInternalSubset (ctxt=0xc9a450) at parser.c:7310
No locals.
No locals.
#5 0x00007f4c4e619626 in xmlParseChunk__internal_alias (ctxt=0xc9a450,
chunk=<value optimized out>, size=<value optimized out>, terminate=0) at parser.c:10782
end_in_lf = 0
#6 0x00007f4c3db8dcd0 in ?? () from /usr/lib/librsvg-2.so.2
No symbol table info available.
#7 0x00007f4c3ddb9d7c in ?? () from /usr/lib/gtk-2.0/2.10.0/loaders/svg_loader.so
No symbol table info available.
....
(BTW there seem to be no debugging symbols available in any Debian
package for librsvg-2. (Is this a bug of the librsvg-2 package?))
Christian.
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (900, 'testing'), (800, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libxml2 depends on:
ii libc6 2.7-13 GNU C Library: Shared libraries
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
Versions of packages libxml2 recommends:
ii xml-core 0.11 XML infrastructure and XML catalog
libxml2 suggests no packages.
-- no debconf information
More information about the debian-xml-sgml-pkgs
mailing list