[xml/sgml-pkgs] Bug#496125: Bug#496125: libxml2: security fix does double free / segfaults (breaks Gnome apps)

Mike Hommey mh at glandium.org
Sat Aug 23 07:38:53 UTC 2008 

On Fri, Aug 22, 2008 at 10:05:12PM +0200, Christian Jaeger wrote:
> The segfaults happen in libxml2 for both applications (Galeon and
> gnome-appearance-properties) which I ran under GDB:
> 
> #0  0x00007f6038aa95c8 in _int_free (av=0x7f6038d829e0, mem=0xc9ad10) at malloc.c:4663
> #1  0x00007f6038aa9a76 in *__GI___libc_free (mem=0xc9ad10) at malloc.c:3626
> #2  0x00007f603c54f065 in xmlParseEntityDecl__internal_alias (ctxt=0xcb1700) at parser.c:4809
> #3  0x00007f603c54f7e6 in xmlParseMarkupDecl__internal_alias (ctxt=0x7f6038d829e0) at parser.c:5947
> #4  0x00007f603c54f87e in xmlParseInternalSubset (ctxt=0xcb1700) at parser.c:7310
> #5  0x00007f603c550626 in xmlParseChunk__internal_alias (ctxt=0xcb1700, 
>     chunk=<value optimized out>, size=<value optimized out>, terminate=0) at parser.c:10782
> #6  0x00007f602bac4cd0 in ?? () from /usr/lib/librsvg-2.so.2
> #7  0x00007f602bcf0d7c in ?? () from /usr/lib/gtk-2.0/2.10.0/loaders/svg_loader.so
> #8  0x00007f603a5d4c99 in IA__gdk_pixbuf_loader_write (loader=0xb28ea0, 
>     buf=0xc94180 "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<!-- Generator: Adobe Illustrator 10.0.3, SVG Export Plug-In . SVG Version: 3.0.0 Build 77)  -->\n<!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.0//EN\"    \"http://www.w3"..., count=4082, error=0xcc8528)
>     at /scratch/build-area/gtk+2.0-2.12.11/gdk-pixbuf/gdk-pixbuf-loader.c:475
> #9  0x00007f603ab9c530 in icon_info_ensure_scale_and_pixbuf (icon_info=0xcc84f0, 
>     scale_only=<value optimized out>)
>     at /scratch/build-area/gtk+2.0-2.12.11/gtk/gtkicontheme.c:2743
> ...
> (you can see the rest of the backtraces in my mailing list email)

Seeing the backtrace, I'd say the same problem should probably be happening
with the stable updates, too.

Could you check what svg file is being opened here[1] ?, and check what
xmllint has to say about it ? (theorically, it should segfault too)

Thanks

Mike

1. You can check /proc/$(pidof galeon)/fd when running galeon under gdb
and the segfault has occurred.

More information about the debian-xml-sgml-pkgs mailing list