[xml/sgml-pkgs] Bug#901817: libxml2 - DoS - null deref - xmlXPathCompOpEval

Guy Inbar guyinbara at gmail.com
Mon Jun 18 20:48:58 BST 2018 

Package: libxml2

Vulnerability class: Null deref, Denial of Service.

Description:
There are two bugs in the xpath implementation in libxml2 in the file:
https://github.com/GNOME/libxml2/blob/master/xpath.c

function name:
xmlXPathCompOpEval (2 bugs in this function)

inside the big switch clause there are 2 bugs:
1. in case XPATH_OP_AND - there is no check in the following code:
            arg1 = valuePop(ctxt); //this could result in null.
            arg1->boolval &= arg2->boolval; //and then the application
is crashing here resulting in a Denial of Service condition.

2. in case XPATH_OP_OR: - there is no check in the following code:
            arg1 = valuePop(ctxt); //can result in null
            arg1->boolval |= arg2->boolval; //crashing here due to null
deref.

Exploitability:
The complexity is fairly low, as the following xpath expressions are likely
to be easily given by attackers remotely:
1. true() and format-number(1, "", "")
2. false() or format-number(1, "", "")

Proposed Fix:
The fix should be easy, just check for null values in arg1 before
dereferencing in both cases.

I've verified this bug is affecting latest PHP 5.6 with xml module which
can cause a denial of service for applications accepting xpath/xslt.
It also affects chrome (and I assume safari too), but it's only a client
side tab crash for browsers.

I've added reproducers for both bugs in browsers and in php.

For browser reproduction open the html reproducers with your target browser
(chrome/safari).

For php reproduction run the following (php needs the xml module for DOM):
make sure the php files and .xsl files reside in same directory and run the
following commands:
php -f xpath_or.php
php -f xpath_and.php


-- 
Guy Inbar.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-xml-sgml-pkgs/attachments/20180618/62ce166b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: reproducers.zip
Type: application/x-zip-compressed
Size: 2809 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/debian-xml-sgml-pkgs/attachments/20180618/62ce166b/attachment.bin>

More information about the debian-xml-sgml-pkgs mailing list