Debian Bug report logs -
#901817
libxml2: CVE-2018-14404: NULL pointer deref in xpath.c:xmlXPathCompOpEval()
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#901817; Package libxml2.
(Mon, 18 Jun 2018 19:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Guy Inbar <guyinbara@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>.
(Mon, 18 Jun 2018 19:51:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: libxml2
Vulnerability class: Null deref, Denial of Service.
Description:
There are two bugs in the xpath implementation in libxml2 in the file:
https://github.com/GNOME/libxml2/blob/master/xpath.c
function name:
xmlXPathCompOpEval (2 bugs in this function)
inside the big switch clause there are 2 bugs:
1. in case XPATH_OP_AND - there is no check in the following code:
arg1 = valuePop(ctxt); //this could result in null.
arg1->boolval &= arg2->boolval; //and then the application
is crashing here resulting in a Denial of Service condition.
2. in case XPATH_OP_OR: - there is no check in the following code:
arg1 = valuePop(ctxt); //can result in null
arg1->boolval |= arg2->boolval; //crashing here due to null
deref.
Exploitability:
The complexity is fairly low, as the following xpath expressions are likely
to be easily given by attackers remotely:
1. true() and format-number(1, "", "")
2. false() or format-number(1, "", "")
Proposed Fix:
The fix should be easy, just check for null values in arg1 before
dereferencing in both cases.
I've verified this bug is affecting latest PHP 5.6 with xml module which
can cause a denial of service for applications accepting xpath/xslt.
It also affects chrome (and I assume safari too), but it's only a client
side tab crash for browsers.
I've added reproducers for both bugs in browsers and in php.
For browser reproduction open the html reproducers with your target browser
(chrome/safari).
For php reproduction run the following (php needs the xml module for DOM):
make sure the php files and .xsl files reside in same directory and run the
following commands:
php -f xpath_or.php
php -f xpath_and.php
--
Guy Inbar.
[Message part 2 (text/html, inline)]
[reproducers.zip (application/x-zip-compressed, attachment)]
Added tag(s) security.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 19 Jun 2018 20:39:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#901817; Package libxml2.
(Tue, 19 Jun 2018 20:42:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>.
(Tue, 19 Jun 2018 20:42:08 GMT) (full text, mbox, link).
Message #12 received at 901817@bugs.debian.org (full text, mbox, reply):
Hi,
On Mon, Jun 18, 2018 at 10:48:58PM +0300, Guy Inbar wrote:
> Package: libxml2
>
> Vulnerability class: Null deref, Denial of Service.
>
> Description:
> There are two bugs in the xpath implementation in libxml2 in the file:
> https://github.com/GNOME/libxml2/blob/master/xpath.c
>
> function name:
> xmlXPathCompOpEval (2 bugs in this function)
>
> inside the big switch clause there are 2 bugs:
> 1. in case XPATH_OP_AND - there is no check in the following code:
> arg1 = valuePop(ctxt); //this could result in null.
> arg1->boolval &= arg2->boolval; //and then the application
> is crashing here resulting in a Denial of Service condition.
>
> 2. in case XPATH_OP_OR: - there is no check in the following code:
> arg1 = valuePop(ctxt); //can result in null
> arg1->boolval |= arg2->boolval; //crashing here due to null
> deref.
>
> Exploitability:
> The complexity is fairly low, as the following xpath expressions are likely
> to be easily given by attackers remotely:
> 1. true() and format-number(1, "", "")
> 2. false() or format-number(1, "", "")
>
> Proposed Fix:
> The fix should be easy, just check for null values in arg1 before
> dereferencing in both cases.
>
> I've verified this bug is affecting latest PHP 5.6 with xml module which
> can cause a denial of service for applications accepting xpath/xslt.
> It also affects chrome (and I assume safari too), but it's only a client
> side tab crash for browsers.
>
> I've added reproducers for both bugs in browsers and in php.
>
> For browser reproduction open the html reproducers with your target browser
> (chrome/safari).
>
> For php reproduction run the following (php needs the xml module for DOM):
> make sure the php files and .xsl files reside in same directory and run the
> following commands:
> php -f xpath_or.php
> php -f xpath_and.php
Can you please report the upstream directly in the upstream bugzilla
and once you have the bug reference, add then mark this bug here as
forwarded to the upstream one?
https://www.debian.org/Bugs/server-control#forwarded
Thanks already.
Regards,
Salvatore
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 19 Jun 2018 20:51:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#901817; Package libxml2.
(Thu, 28 Jun 2018 01:36:02 GMT) (full text, mbox, link).
Acknowledgement sent
to sfowler@redhat.com:
Extra info received and forwarded to list. Copy sent to Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>.
(Thu, 28 Jun 2018 01:36:02 GMT) (full text, mbox, link).
Message #19 received at 901817@bugs.debian.org (full text, mbox, reply):
On Tue, 19 Jun 2018 22:39:34 +0200 Salvatore Bonaccorso
<carnil@debian.org> wrote:> Can you please report the upstream directly
in the upstream bugzilla
> and once you have the bug reference, add then mark this bug here as
> forwarded to the upstream one?
>
> https://www.debian.org/Bugs/server-control#forwarded
>
> Thanks already.
>
> Regards,
Couldn't see this in GNOME bugzilla so filed:
https://gitlab.gnome.org/GNOME/libxml2/issues/10
--
Sam Fowler, Red Hat Product Security
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#901817; Package libxml2.
(Thu, 19 Jul 2018 20:24:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>.
(Thu, 19 Jul 2018 20:24:05 GMT) (full text, mbox, link).
Message #24 received at 901817@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 libxml2: CVE-2018-14404: NULL pointer deref in xpath.c:xmlXPathCompOpEval()
Control: forwarded -1 https://gitlab.gnome.org/GNOME/libxml2/issues/10
Hi,
On Thu, Jun 28, 2018 at 11:28:18AM +1000, Sam Fowler wrote:
> On Tue, 19 Jun 2018 22:39:34 +0200 Salvatore Bonaccorso
> <carnil@debian.org> wrote:> Can you please report the upstream directly
> in the upstream bugzilla
> > and once you have the bug reference, add then mark this bug here as
> > forwarded to the upstream one?
> >
> > https://www.debian.org/Bugs/server-control#forwarded
> >
> > Thanks already.
> >
> > Regards,
>
> Couldn't see this in GNOME bugzilla so filed:
>
> https://gitlab.gnome.org/GNOME/libxml2/issues/10
Thanks!
This issue has been assigned CVE-2018-14404.
Regards,
Salvatore
Changed Bug title to 'libxml2: CVE-2018-14404: NULL pointer deref in xpath.c:xmlXPathCompOpEval()' from 'libxml2 - DoS - null deref - xmlXPathCompOpEval'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 901817-submit@bugs.debian.org.
(Thu, 19 Jul 2018 20:24:06 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org.
(Mon, 30 Jul 2018 17:15:05 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:36:34 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon