*** This bug is a security vulnerability ***
You have been subscribed to a public security bug by Marc Deslauriers
(mdeslaur):
Binary package hint: python2.3-xml
It seems that pyexpat library causes crash in zope when parsing
malformed XML-RPC request. Since no authentication is required, this
results in DOS of zope on dapper. The same request to zope on hardy does
not cause a crash.
I haven't looked at the source, so there is also a chance, that the real
cause is invalid usage of the library.
XML from request:
<?xml
version="1.0"?><methodCall><methodName>/xdsfads</methodName><params><param><vaƬue></value></param></params></methodCall>
Xml from request (base64):
PD94bWwgdmVyc2lvbj0iMS4wIj8+PG1ldGhvZENhbGw+PG1ldGhvZE5hbWU+L3hkc2ZhZHM8L21l
dGhvZE5hbWU+PHBhcmFtcz48cGFyYW0+PHZh7HVlPjwvdmFsdWU+PC9wYXJhbT48L3BhcmFtcz48
L21ldGhvZENhbGw+DQogICAgICAgICAgICAgICAgICAgICAgICAgIA0K
Crash occurs, when null pointer is handed over to python code:
(gdb) bt
#0 0x08077718 in PyDict_GetItem ()
#1 0xb7a2a4e0 in initpyexpat ()
from /usr/lib/python2.3/site-packages/_xmlplus/parsers/pyexpat.so
#2 0xb7a38a51 in XML_ParserReset ()
from /usr/lib/python2.3/site-packages/_xmlplus/parsers/pyexpat.so
#3 0xb7a3addf in XML_ParserReset ()
from /usr/lib/python2.3/site-packages/_xmlplus/parsers/pyexpat.so
#4 0xb7a35646 in XML_ParserReset ()
from /usr/lib/python2.3/site-packages/_xmlplus/parsers/pyexpat.so
#5 0xb7a3b55a in XML_ParserReset ()
from /usr/lib/python2.3/site-packages/_xmlplus/parsers/pyexpat.so
#6 0xb7a2d8c9 in XML_ParseBuffer ()
from /usr/lib/python2.3/site-packages/_xmlplus/parsers/pyexpat.so
#7 0xb7a2dcb5 in XML_Parse ()
from /usr/lib/python2.3/site-packages/_xmlplus/parsers/pyexpat.so
#8 0xb7a285bf in initpyexpat ()
from /usr/lib/python2.3/site-packages/_xmlplus/parsers/pyexpat.so
(gdb) info registers
eax 0x8109c60 135306336
ecx 0x1 1
edx 0xb5ac4e2c -1246998996
ebx 0x0 0
esp 0xb3e1bf10 0xb3e1bf10
ebp 0xb3e1bf28 0xb3e1bf28
esi 0xb5b2602c -1246601172
edi 0x0 0
eip 0x8077718 0x8077718 <PyDict_GetItem+24>
eflags 0x200246 2097734
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
0x08077700 <PyDict_GetItem+0>: push %ebp
0x08077701 <PyDict_GetItem+1>: mov %esp,%ebp
0x08077703 <PyDict_GetItem+3>: push %esi
0x08077704 <PyDict_GetItem+4>: push %ebx
0x08077705 <PyDict_GetItem+5>: sub $0x10,%esp
0x08077708 <PyDict_GetItem+8>: mov 0x8(%ebp),%esi
0x0807770b <PyDict_GetItem+11>: mov 0xc(%ebp),%ebx -- get call arg to ebx
0x0807770e <PyDict_GetItem+14>: mov 0x4(%esi),%eax
0x08077711 <PyDict_GetItem+17>: cmp $0x8109c60,%eax
0x08077716 <PyDict_GetItem+22>: jne 0x8077752 <PyDict_GetItem+82>
0x08077718 <PyDict_GetItem+24>: cmpl $0x810ab00,0x4(%ebx) -- use ebx,
crash
ii python2.3-xml 0.8.4-1ubuntu4 XML tools for
Python (2.3.x)
Description: Ubuntu 6.06.2 LTS
Release: 6.06
** Affects: python2.3-xml (Ubuntu)
Importance: Undecided
Status: New
--
Segmentation fault when parsing malformed XML (null pointer dereference)
https://bugs.edge.launchpad.net/bugs/611731
You received this bug notification because you are a member of Ubuntu Bugs,
which is a direct subscriber.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
