Bug 1024989 - (CVE-2017-5969) VUL-1: CVE-2017-5969: libxml2: NULL pointer derefence parsing xml file using libxml 2.9.4 (in recover mode)
(CVE-2017-5969)
VUL-1: CVE-2017-5969: libxml2: NULL pointer derefence parsing xml file using ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:sle10-sp3:63810 CVSSv2...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-02-13 11:26 UTC by Mikhail Kasimov
Modified: 2020-09-16 11:00 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
crash-libxml2-recover.xml - reproducer (804 bytes, text/xml)
2017-02-13 11:30 UTC, Mikhail Kasimov
Details
Upstream patch for SLE-10, 11 and 12. (2.49 KB, patch)
2017-06-14 15:22 UTC, Pedro Monreal Gonzalez
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2017-02-13 11:26:23 UTC
Ref: http://seclists.org/oss-sec/2017/q1/343
=============================================
We found a null pointer dereference when parsing a xml file using recover
mode. It was tested in libxml 2.9.4 (ArchLinux x86_64). To reproduce:

$ xmllint --recover crash-libxml2-recover.xml

==27646==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000
(pc 0x0000004fbd88 bp 0x7ffc3345dff0 sp 0x7ffc3345dfd0 T0)
    #0 0x4fbd87 in xmlDumpElementContent
/home/g/Work/Code/libxml2-2.9.4/valid.c:1181
    #1 0x4fbcd5 in xmlDumpElementContent
/home/g/Work/Code/libxml2-2.9.4/valid.c:1177
    #2 0x4fe5ff in xmlDumpElementDecl
/home/g/Work/Code/libxml2-2.9.4/valid.c:1706
    #3 0x72e714 in xmlBufDumpElementDecl
/home/g/Work/Code/libxml2-2.9.4/xmlsave.c:501
    #4 0x73048f in xmlNodeDumpOutputInternal
/home/g/Work/Code/libxml2-2.9.4/xmlsave.c:939
    #5 0x72fc47 in xmlNodeListDumpOutput
/home/g/Work/Code/libxml2-2.9.4/xmlsave.c:825
    #6 0x72f6d5 in xmlDtdDumpOutput
/home/g/Work/Code/libxml2-2.9.4/xmlsave.c:749
    #7 0x73038f in xmlNodeDumpOutputInternal
/home/g/Work/Code/libxml2-2.9.4/xmlsave.c:931
    #8 0x732412 in xmlDocContentDumpOutput
/home/g/Work/Code/libxml2-2.9.4/xmlsave.c:1234
    #9 0x735883 in xmlSaveDoc /home/g/Work/Code/libxml2-2.9.4/xmlsave.c:1936
    #10 0x40ba0f in parseAndPrintFile
/home/g/Work/Code/libxml2-2.9.4/xmllint.c:2712
    #11 0x411eb6 in main /home/g/Work/Code/libxml2-2.9.4/xmllint.c:3767
    #12 0x7f23dcd4c290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
    #13 0x4032b9 in _start
(/home/g/Work/Code/libxml2-2.9.4/xmllint+0x4032b9)
=============================================

Upstream bug report: https://bugzilla.gnome.org/show_bug.cgi?id=778519

https://security-tracker.debian.org/tracker/CVE-2017-5969

https://software.opensuse.org/package/libxml2

TW|42.2: 2.9.4
42.1: 2.9.1
Comment 1 Mikhail Kasimov 2017-02-13 11:30:05 UTC
Created attachment 713843 [details]
crash-libxml2-recover.xml - reproducer
Comment 2 Matthias Gerstner 2017-02-13 11:50:37 UTC
This issue can cause a DoS in a somewhat obscure situation involving the
recover mode of libxml2, which is discouraged to be used with untrusted input
by upstream.

In https://bugzilla.gnome.org/show_bug.cgi?id=778519#c1 it is stated that in
theory it might also affect any call to xmlSaveDoc().

Due to the exotic nature of the issue I'm treating this as a VUL-1 issue.

It seems this issue was already partly handled in bug 1014873.

Current codestream SLE-12-SP2:Update (and thus openSUSE Leap 42.{1,2}) already
has this issue fixed. Still affected:

SUSE:SLE-10-SP3:Update
SUSE:SLE-11-SP1:Update
SUSE:SLE-12:Update

QA reproducer:

Using the PoC file from attachment 713843 [details], run:

  xmllint --recover crash-libxml2-recover.xml

it will crash with a segmentation fault, if the issue is present.
Comment 3 Swamp Workflow Management 2017-02-13 23:00:48 UTC
bugbot adjusting priority
Comment 10 Pedro Monreal Gonzalez 2017-06-14 15:22:49 UTC
Created attachment 728946 [details]
Upstream patch for SLE-10, 11 and 12.

A patch for this CVE has been released upstream https://bugzilla.gnome.org/show_bug.cgi?id=778519#c8

This bug was corrected by libxml2-NULL-deref-xmlDumpElementContent.patch
previously applied by Simon Lees in SLE-12-SP2 with libxml 2.9.4. I have also refreshed the patch in this version since it includes more modifications.

openSUSE:Factory              2.9.4     sr#503708
openSUSE:Leap:42.2:Update     2.9.4     Comes from SLE-12-SP2:GA
openSUSE:Leap:42.1:Update     2.9.1     Comes from SLE-12:Update

SUSE:SLE-12-SP2:Update        2.9.4     mr#134195
SUSE:SLE-12:Update            2.9.1     mr#134196
SUSE:SLE-11-SP1:Update        2.7.6     sr#134198
SUSE:SLE-10-SP3:Update        2.6.23    sr#134206

Tested in polio for SLE-12.
Comment 13 Swamp Workflow Management 2017-06-19 09:55:42 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2017-06-26.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63691
Comment 16 Swamp Workflow Management 2017-06-26 10:11:28 UTC
SUSE-SU-2017:1670-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1024989,1044337
CVE References: CVE-2017-0663,CVE-2017-5969
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    libxml2-2.9.4-42.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    libxml2-2.9.4-42.1, python-libxml2-2.9.4-42.1
SUSE Linux Enterprise Server 12-SP2 (src):    libxml2-2.9.4-42.1, python-libxml2-2.9.4-42.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    libxml2-2.9.4-42.1, python-libxml2-2.9.4-42.1
OpenStack Cloud Magnum Orchestration 7 (src):    libxml2-2.9.4-42.1
Comment 17 Swamp Workflow Management 2017-07-01 13:09:39 UTC
openSUSE-SU-2017:1746-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1024989,1044337
CVE References: CVE-2017-0663,CVE-2017-5969
Sources used:
openSUSE Leap 42.2 (src):    libxml2-2.9.4-5.9.1, python-libxml2-2.9.4-5.9.1
Comment 18 Swamp Workflow Management 2017-07-07 13:13:16 UTC
SUSE-SU-2017:1813-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1024989,1044337,1044887,1044894
CVE References: CVE-2017-0663,CVE-2017-5969,CVE-2017-7375,CVE-2017-7376
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    libxml2-2.7.6-0.76.1
SUSE Linux Enterprise Server 11-SP4 (src):    libxml2-2.7.6-0.76.1, libxml2-python-2.7.6-0.76.4
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    libxml2-2.7.6-0.76.1, libxml2-python-2.7.6-0.76.4
Comment 19 Marcus Meissner 2017-10-25 19:43:16 UTC
released