Re: [xml] Security fix for libxml2



On Mon, Aug 25, 2008 at 09:56:15PM +0200, Mike Hommey wrote:
On Mon, Aug 25, 2008 at 09:47:32PM +0200, Mike Hommey wrote:
  yeah, it's a serious problem, I made data structure available
to help with fast access to the trees, but people have abused it,
I hope there isn't too many of those.
  I hope librsvg get fixed, because I would really prefer the clean
solution in the upcoming 2.7.0 release.

FWIW, strigi is also impacted.
http://websvn.kde.org/trunk/kdesupport/strigi/src/streamanalyzer/fieldpropertiesdb.cpp?view=markup
(look for "new xmlEntity")

And many others, as reported on http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496125 :

liferea 1.4.16b has this:

  src/xml.c:                    entity = (xmlEntityPtr)g_new0 (xmlEntity, 1);

PHP 5.2.6 has this:

  ext/dom/dom_iterators.c:61:      ret = (xmlEntityPtr) xmlMalloc(sizeof(xmlEntity));
  ext/dom/dom_iterators.c:62:      memset(ret, 0, sizeof(xmlEntity));

QT 4.4.0 has this (with an instructive comment in front of it):

  src/3rdparty/webkit/WebCore/dom/XMLTokenizer.cpp:static xmlEntity sharedXHTMLEntity = {

(Note that for the latter, there is also, at least in upstream webkit:
#if LIBXML_VERSION >= 20627
    // xmlEntity gained an extra member in 2.6.27.
    1
#endif

Which is quite ugly actually.

Anyways, I'm afraid it means you're doomed.

  yes, I have seen those reports, which is why i reverted the SVN
upstream version to keep a binary compatible xmlEntity structure. The
worse is that this structure grew in october 2006 adding the owner field
and nobody complained ... mistery of memory allocations and alignments.
  I think the core of the problem comes from the fact that the existing
entities allocation routines exported by libxml2 fail to work if there
is no document or if the document has not an existing DTD (and that
behaviour make sense wince entities are registered in hash table in the
document DTD). So those not willing to build the document or DTD worked
around it by doing their own allocation, but is an abuse but doable from
C.
  To cope with this I also added yesterday a different allocation
function xmlNewEntity() which will work even if the doc is not available
or has no DTD, that will allow the offenders to fix their code
(possibly using #if LIBXML_VERSION >= 20700 to keep compiling on older
versions) and solve the problem in the long term.

  Note that the xmlDoc document structure will grow too in 2.7.0 (to
hold parser option and being able to detect document using XML 1.0
before revision 5) as well as the parser structure.

Daniel

-- 
Daniel Veillard      | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
daniel veillard com  | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library  http://libvirt.org/



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]