Bug#540865: libxml2: CVE-2009-2414, CVE-2009-2416 pointer-user-after-free and stack overflow because of function recursion

Mon, 10 Aug 2009 11:11:32 -0700 

Source: libxml2
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for libxml2.

CVE-2009-2416[0]:
| Pointer use-after-free flaws were found in libxml by parsing Notation
| and Enumeration attribute types. A remote attacker could provide
| a specially-crafted XML file, which once opened by a local, unsuspecting
| user would lead to denial of service (application crash).  

CVE-2009-2414[1]:
| A stack overflow flaw was found in libxml by parsing root XML document
| element DTD definition. Providing a specially-crafted XML file would
| lead to excessive stack growth and denial of service (application crash),
| when opened by a victim.

If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2416
    http://security-tracker.debian.net/tracker/CVE-2009-2416
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2414
    http://security-tracker.debian.net/tracker/CVE-2009-2414

-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.

--- parser.c.orig	2009-08-03 15:33:12.000000000 +0200
+++ parser.c	2009-08-03 15:36:26.000000000 +0200
@@ -4778,10 +4779,14 @@ xmlParseNotationType(xmlParserCtxtPtr ct
 	if (name == NULL) {
 	    xmlFatalErrMsg(ctxt, XML_ERR_NAME_REQUIRED,
 			   "Name expected in NOTATION declaration\n");
-	    return(ret);
+            xmlFreeEnumeration(ret);
+	    return(NULL);
 	}
 	cur = xmlCreateEnumeration(name);
-	if (cur == NULL) return(ret);
+	if (cur == NULL) {
+            xmlFreeEnumeration(ret);
+            return(NULL);
+        }
 	if (last == NULL) ret = last = cur;
 	else {
 	    last->next = cur;
@@ -4791,9 +4796,8 @@ xmlParseNotationType(xmlParserCtxtPtr ct
     } while (RAW == '|');
     if (RAW != ')') {
 	xmlFatalErr(ctxt, XML_ERR_NOTATION_NOT_FINISHED, NULL);
-	if ((last != NULL) && (last != ret))
-	    xmlFreeEnumeration(last);
-	return(ret);
+        xmlFreeEnumeration(ret);
+	return(NULL);
     }
     NEXT;
     return(ret);
@@ -4834,7 +4838,10 @@ xmlParseEnumerationType(xmlParserCtxtPtr
 	}
 	cur = xmlCreateEnumeration(name);
 	xmlFree(name);
-	if (cur == NULL) return(ret);
+	if (cur == NULL) {
+            xmlFreeEnumeration(ret);
+            return(NULL);
+        }
 	if (last == NULL) ret = last = cur;
 	else {
 	    last->next = cur;
@@ -5232,6 +5239,12 @@ xmlParseElementChildrenContentDecl (xmlP
     const xmlChar *elem;
     xmlChar type = 0;
 
+    if (ctxt->depth > 128) {
+        xmlFatalErrMsgInt(ctxt, XML_ERR_ELEMCONTENT_NOT_FINISHED,
+                "xmlParseElementChildrenContentDecl : depth %d too deep\n",
+                          ctxt->depth);
+	return(NULL);
+    }
     SKIP_BLANKS;
     GROW;
     if (RAW == '(') {
@@ -5240,7 +5253,9 @@ xmlParseElementChildrenContentDecl (xmlP
         /* Recurse on first child */
 	NEXT;
 	SKIP_BLANKS;
+        ctxt->depth++;
         cur = ret = xmlParseElementChildrenContentDecl(ctxt, inputid);
+        ctxt->depth--;
 	SKIP_BLANKS;
 	GROW;
     } else {
@@ -5370,7 +5385,9 @@ xmlParseElementChildrenContentDecl (xmlP
 	    /* Recurse on second child */
 	    NEXT;
 	    SKIP_BLANKS;
+            ctxt->depth++;
 	    last = xmlParseElementChildrenContentDecl(ctxt, inputid);
+            ctxt->depth--;
 	    SKIP_BLANKS;
 	} else {
 	    elem = xmlParseName(ctxt);

Attachment: pgphQbYIOXffL.pgp
Description: PGP signature

Reply via email to