[xml/sgml-pkgs] Bug#496125: Bug#496125: libxml2: security fix does double free / segfaults (breaks Gnome apps)

Christian Jaeger christian at jaeger.mine.nu
Sat Aug 23 21:26:41 UTC 2008 

Mike Hommey wrote:
> Could you check what svg file is being opened here[1] ?, and check what
> xmllint has to say about it ? (theorically, it should segfault too)
>   

I've now installed the lenny libxml2 again:

novo:/dev/shm/archives# dpkgli "libxml2*"
ii  libxml2                              2.6.32.dfsg-2+lenny1        GNOME XML library
ii  libxml2-utils                        2.6.32.dfsg-2+lenny1        XML utilities


and as expected galeon does again segfault upon startup as it did before I downgraded libxml2.

Your trick with the open fd's doesn't work, at the time of the segfault, no relevant fd is open anymore:

chris at novo:/tmp/chris$ l /proc/15985/{,task/*}/fd|perl -wne 's/.*2008-08-23.{6}//;print'|sort|uniq

 0 -> /dev/pts/22
 10 -> socket:[73309]
 11 -> socket:[73312]
 12 -> socket:[73314]
 13 -> socket:[73317]
 14 -> socket:[73321]
 15 -> socket:[73318]
 16 -> /home/chris/.galeon/mozilla/galeon/.parentlock
 17 -> /dev/random
 18 -> pipe:[73325]
 19 -> pipe:[73325]
 1 -> /dev/pts/22
 20 -> socket:[73327]
 21 -> /home/chris/.galeon/mozilla/galeon/permissions.sqlite
 2 -> /dev/pts/22
 3 -> socket:[73304]
 4 -> pipe:[73306]
 5 -> pipe:[73306]
 6 -> pipe:[73307]
 7 -> pipe:[73307]
 8 -> pipe:[73308]
 9 -> pipe:[73308]
/proc/15985//fd:
/proc/15985/task/15985/fd:
/proc/15985/task/15987/fd:
total 0

So instead I've run 

strace -fF -o _out /usr/bin/galeon fewfwef

and now

chris at novo:/tmp/chris$ grep open _out.1598* -l
_out.15985
chris at novo:/tmp/chris$ cat _out.1598* |grep open|grep -v ENOENT|less
# I'm stripping uninteresting stuff away
...
...
...
open("/usr/lib/xulrunner-1.9/defaults/pref/xulrunner.js", O_RDONLY) = 18
...
open("/usr/lib/xulrunner-1.9/components/xpcom_io.xpt", O_RDONLY) = 21
open("/usr/lib/xulrunner-1.9/components/nsBlocklistService.js", O_RDONLY) = 21
open("/usr/lib/xulrunner-1.9/modules/XPCOMUtils.jsm", O_RDONLY) = 21
open("/usr/lib/xulrunner-1.9/components/xpcom_ds.xpt", O_RDONLY) = 21
open("/usr/lib/xulrunner-1.9/components/extensions.xpt", O_RDONLY) = 21
open("/usr/lib/xulrunner-1.9/components/xpcom_components.xpt", O_RDONLY) = 21
open("/usr/lib/xulrunner-1.9/components/nsExtensionManager.js", O_RDONLY) = 21
open("/usr/lib/xulrunner-1.9/components/nsUpdateService.js", O_RDONLY) = 21
open("/usr/lib/xulrunner-1.9/components/nsTryToClose.js", O_RDONLY) = 21
open("/home/chris/.galeon/mozilla/galeon/prefs.js", O_RDONLY) = 21
open("/usr/share/galeon/default-prefs.js", O_RDONLY) = 21
open("/home/chris/.galeon/mozilla/galeon/prefs.js", O_RDONLY) = 21
open("/usr/share/themes/Wasp/gtk-2.0/gtkrc", O_RDONLY) = 21
..
open("/usr/share/themes/Default/gtk-2.0-key/gtkrc", O_RDONLY) = 21
open("/dev/urandom", O_RDONLY)          = 21
open("/home/chris/.galeon/favicon_cache.xml", O_RDONLY) = 21
open("/home/chris/.galeon/favicon_cache/CACHEDIR.TAG", O_RDWR|O_CREAT, 0660) = 21
open("/home/chris/.galeon/history2.xml", O_RDONLY) = 21
...
open("/etc/mtab", O_RDONLY)             = 22
open("/usr/share/icons/Wasp/index.theme", O_RDONLY) = 21
open("/usr/share/icons/Wasp/icon-theme.cache", O_RDONLY) = 21
open("/usr/share/icons/Wasp/icon-theme.cache", O_RDONLY) = 22
open("/usr/share/icons/gnome/index.theme", O_RDONLY) = 21
open("/usr/share/icons/gnome/8x8/emblems", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 21
open("/usr/share/icons/gnome/16x16/actions", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 21
...
#many icons like:
open("/usr/share/icons/gnome/24x24/places/folder.icon", O_RDONLY) = 22
...
...
open("/usr/share/icons/gnome/scalable/status/stock_open.icon", O_RDONLY) = 22
...
open("/home/chris/.galeon/bookmarks.xbel", O_RDONLY) = 21
..
open("/usr/lib64/gtk-2.0/2.10.0/immodule-files.d/libgtk2.0-0.immodules", O_RDONLY) = 22
open("/etc/fonts/fonts.conf", O_RDONLY) = 21
..
open("/etc/fonts/conf.d/80-delicious.conf", O_RDONLY) = 23
open("/etc/fonts/conf.d/90-synthetic.conf", O_RDONLY) = 23
..
open("/var/cache/fontconfig/945677eb7aeaf62f1d50efc3fb3ec7d8-x86-64.cache-2", O_RDONLY) = 21
open("/var/cache/fontconfig/6333f38776742d18e214673cd2c24e34-x86-64.cache-2", O_RDONLY) = 21
open("/proc/meminfo", O_RDONLY)         = 21
open("/usr/share/fonts/truetype/ttf-bitstream-vera/Vera.ttf", O_RDONLY) = 21
...
open("/usr/lib64/pango/1.6.0/module-files.d/libpango1.0-0.modules", O_RDONLY) = 22
...
open("/home/chris/.galeon/toolbars.xml", O_RDONLY) = 21
...
open("/usr/share/galeon/galeon-egg-ui.xml", O_RDONLY) = 21
...
open("/usr/share/galeon/google_images.png", O_RDONLY) = 21
open("/home/chris/.galeon/sidebars.xml", O_RDONLY) = 21
open("/usr/share/icons/gnome/16x16/actions/gtk-close.png", O_RDONLY) = 21
open("/dev/urandom", O_RDONLY)          = 21
open("/home/chris/.galeon/mozilla/galeon/permissions.sqlite", O_RDWR|O_CREAT, 0644) = 21
open("/usr/share/icons/Wasp/scalable/actions/gtk-go-back-ltr.svg", O_RDONLY) = 22
open("/usr/lib/gtk-2.0/2.10.0/loaders/svg_loader.so", O_RDONLY) = 22
open("/etc/ld.so.cache", O_RDONLY)      = 22
open("/usr/lib/librsvg-2.so.2", O_RDONLY) = 22
open("/usr/lib/libgsf-1.so.114", O_RDONLY) = 22
open("/usr/lib/libcroco-0.6.so.3", O_RDONLY) = 22
open("/lib/libbz2.so.1.0", O_RDONLY)    = 22

So it's probably the gtk-go-back-ltr.svg file, since it's the last opened one before the segfault. Just to be sure:

chris at novo:/tmp/chris$ cat _out.1598* |grep open|grep -v ENOENT|egrep -i '\.(xml|rdf|svg)'
open("/home/chris/.galeon/favicon_cache.xml", O_RDONLY) = 21
open("/home/chris/.galeon/history2.xml", O_RDONLY) = 21
open("/home/chris/.galeon/toolbars.xml", O_RDONLY) = 21
open("/usr/share/galeon/galeon-egg-ui.xml", O_RDONLY) = 21
open("/home/chris/.galeon/sidebars.xml", O_RDONLY) = 21
open("/usr/share/icons/Wasp/scalable/actions/gtk-go-back-ltr.svg", O_RDONLY) = 22

chris at novo:/tmp/chris$ cat _out.1598* |grep open|grep -v ENOENT|egrep -i '\.(xml|rdf|svg)'|perl -wne 'm/"([^"]*)"/ and print "$1\n"'|bash -c 'set -e; while read f; do xmllint "$f" > "`basename "$f"`"; done'
/usr/share/icons/Wasp/scalable/actions/gtk-go-back-ltr.svg:11: parser warning : xmlns: URI &ns_svg; is not absolute
	 xmlns="&ns_svg;" xmlns:xlink="&ns_xlink;" xmlns:a="http://ns.adobe.com/AdobeSV
	                 ^

chris at novo:/tmp/chris$ xmllint /usr/share/icons/Wasp/scalable/actions/gtk-go-back-ltr.svg > foo
/usr/share/icons/Wasp/scalable/actions/gtk-go-back-ltr.svg:11: parser warning : xmlns: URI &ns_svg; is not absolute
	 xmlns="&ns_svg;" xmlns:xlink="&ns_xlink;" xmlns:a="http://ns.adobe.com/AdobeSV
	                 ^
chris at novo:/tmp/chris$ echo $?
0


So, interestingly, no, xmllint does not segfault on this file. (Although 
it is giving a warning.)

Maybe another point hinting at a general heap corruption issue and not 
really a problem in libxml2.

Christian.

More information about the debian-xml-sgml-pkgs mailing list