[xml/sgml-pkgs] Bug#901817: libxml2 - DoS - null deref - xmlXPathCompOpEval

Salvatore Bonaccorso carnil at debian.org
Tue Jun 19 21:39:34 BST 2018 

Hi,

On Mon, Jun 18, 2018 at 10:48:58PM +0300, Guy Inbar wrote:
> Package: libxml2
> 
> Vulnerability class: Null deref, Denial of Service.
> 
> Description:
> There are two bugs in the xpath implementation in libxml2 in the file:
> https://github.com/GNOME/libxml2/blob/master/xpath.c
> 
> function name:
> xmlXPathCompOpEval (2 bugs in this function)
> 
> inside the big switch clause there are 2 bugs:
> 1. in case XPATH_OP_AND - there is no check in the following code:
>             arg1 = valuePop(ctxt); //this could result in null.
>             arg1->boolval &= arg2->boolval; //and then the application
> is crashing here resulting in a Denial of Service condition.
> 
> 2. in case XPATH_OP_OR: - there is no check in the following code:
>             arg1 = valuePop(ctxt); //can result in null
>             arg1->boolval |= arg2->boolval; //crashing here due to null
> deref.
> 
> Exploitability:
> The complexity is fairly low, as the following xpath expressions are likely
> to be easily given by attackers remotely:
> 1. true() and format-number(1, "", "")
> 2. false() or format-number(1, "", "")
> 
> Proposed Fix:
> The fix should be easy, just check for null values in arg1 before
> dereferencing in both cases.
> 
> I've verified this bug is affecting latest PHP 5.6 with xml module which
> can cause a denial of service for applications accepting xpath/xslt.
> It also affects chrome (and I assume safari too), but it's only a client
> side tab crash for browsers.
> 
> I've added reproducers for both bugs in browsers and in php.
> 
> For browser reproduction open the html reproducers with your target browser
> (chrome/safari).
> 
> For php reproduction run the following (php needs the xml module for DOM):
> make sure the php files and .xsl files reside in same directory and run the
> following commands:
> php -f xpath_or.php
> php -f xpath_and.php

Can you please report the upstream directly in the upstream bugzilla
and once you have the bug reference, add then mark this bug here as
forwarded to the upstream one?

https://www.debian.org/Bugs/server-control#forwarded

Thanks already.

Regards,
Salvatore

More information about the debian-xml-sgml-pkgs mailing list