[xml/sgml-pkgs] Bug#496125: Bug#496125: Bug#496125: libxml2: security fix does double free / segfaults (breaks Gnome apps)
mh at glandium.org
Sun Aug 24 08:10:54 UTC 2008
On Sun, Aug 24, 2008 at 09:27:50AM +0200, Christian Jaeger wrote:
> Mike Hommey wrote:
> > Now, try changing your gnome theme and re-run galeon ; if i'm correct,
> > it shouldn't crash. Can you tell me what package this svg file belongs
> > to ?
> Yes, the segfaults happen only in the "Gorilla" and "Wasp" themes (apps
> did start when running the Amaranth, Clearlooks, Crux, Glider, Glossy,
> Industrial, Lush, Mist, Nuvola, SphereCrystal themes).
> With Gorilla the svg file in question is
> # dpkgS is a script which resolves symlinks and then looks it up with dpkg -S
> chris at novo:~$ dpkgS /usr/share/icons/Gorilla/scalable/actions/gtk-jump-to-ltr.svg
> gnome-themes-extras: /usr/share/icons/Gorilla/scalable/actions/go-jump.svg
> chris at novo:~$ dpkgS /usr/share/icons/Wasp/scalable/actions/gtk-go-back-ltr.svg
> gnome-themes-extras: /usr/share/icons/Wasp/scalable/actions/go-previous.svg
> chris at novo:/tmp/chris$ xmllint /usr/share/icons/Gorilla/scalable/actions/gtk-jump-to-ltr.svg > svg
> chris at novo:/tmp/chris$ echo $?
> What this file does *not* share with the one from the Wasp theme, is
> that xmllint not even outputs a warning.
> Not sure what to conclude from this. Except that it might be a bug in
> one of these packages:
> $ dpkgS /usr/lib/librsvg-2.so.2
> librsvg2-2: /usr/lib/librsvg-2.so.2.22.2
> $ dpkgS /usr/lib/gtk-2.0/2.10.0/loaders/svg_loader.so
> librsvg2-common: /usr/lib/gtk-2.0/2.10.0/loaders/svg_loader.so
So... the culprit is just librsvg that creates xmlEntity objects not
through the API, but by malloc'ing a buffer of sizeof(xmlEntity).
This struct has gained a member in the security update, breaking rsvg's
A BinNMU of librsvg against libxml2-dev 2.6.32.dfsg-2+lenny1 should
solve the issue (and won't break compatibility with older libxml2, since
older libxml2 will be happy with a too big buffer)
More information about the debian-xml-sgml-pkgs