libxml2 Multiple Use-After-Free Vulnerabilities

2013.04.20

Credit: Agostino Sarubbo

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2013-1969

CWE: N/A

CVSS Base Score: 7.5/10

Impact Subscore: 6.4/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

1) An use-after-free error in "htmlParseChunk()" can be exploited to 
dereference already freed memory.

2) Two use-after-free errors in "xmldecl_done()" can be exploited to 
dereference already freed memory.

The vulnerabilities are reported in version 2.9.0. Other versions may also be 
affected.

Commit:
https://git.gnome.org/browse/libxml2/commit/?id=de0cc20c29cb3f056062925395e0f68d2250a46f

[1]: https://secunia.com/advisories/53061/
-- 
Agostino Sarubbo
Gentoo Linux Developer

diff --git a/HTMLparser.c b/HTMLparser.c
index a533f37..6b83654 100644
--- a/HTMLparser.c
+++ b/HTMLparser.c
@@ -6054,6 +6054,8 @@ htmlParseChunk(htmlParserCtxtPtr ctxt, const char *chunk, int size,
if ((in->encoder != NULL) && (in->buffer != NULL) &&
(in->raw != NULL)) {
int nbchars;
+ size_t base = xmlBufGetInputBase(in->buffer, ctxt->input);
+ size_t current = ctxt->input->cur - ctxt->input->base;
nbchars = xmlCharEncInput(in);
if (nbchars < 0) {
@@ -6061,6 +6063,7 @@ htmlParseChunk(htmlParserCtxtPtr ctxt, const char *chunk, int size,
"encoder error\n", NULL, NULL);
return(XML_ERR_INVALID_ENCODING);
}
+ xmlBufSetInputBaseCur(in->buffer, ctxt->input, base, current);
}
}
}
diff --git a/parser.c b/parser.c
index 31f90d6..1c99051 100644
--- a/parser.c
+++ b/parser.c
@@ -12126,7 +12126,7 @@ xmldecl_done:
remain = 0;
}
}
- res =xmlParserInputBufferPush(ctxt->input->buf, size, chunk);
+ res = xmlParserInputBufferPush(ctxt->input->buf, size, chunk);
if (res < 0) {
ctxt->errNo = XML_PARSER_EOF;
ctxt->disableSAX = 1;
@@ -12143,6 +12143,8 @@ xmldecl_done:
if ((in->encoder != NULL) && (in->buffer != NULL) &&
(in->raw != NULL)) {
int nbchars;
+ size_t base = xmlBufGetInputBase(in->buffer, ctxt->input);
+ size_t current = ctxt->input->cur - ctxt->input->base;
nbchars = xmlCharEncInput(in);
if (nbchars < 0) {
@@ -12151,6 +12153,7 @@ xmldecl_done:
"xmlParseChunk: encoder error\n");
return(XML_ERR_INVALID_ENCODING);
}
+ xmlBufSetInputBaseCur(in->buffer, ctxt->input, base, current);
}
}
}
@@ -12190,7 +12193,14 @@ xmldecl_done:
}
if ((end_in_lf == 1) && (ctxt->input != NULL) &&
(ctxt->input->buf != NULL)) {
+ size_t base = xmlBufGetInputBase(ctxt->input->buf->buffer,
+ ctxt->input);
+ size_t current = ctxt->input->cur - ctxt->input->base;
+
xmlParserInputBufferPush(ctxt->input->buf, 1, "\r");
+
+ xmlBufSetInputBaseCur(ctxt->input->buf->buffer, ctxt->input,
+ base, current);
}
if (terminate) {
/*

References:

https://git.gnome.org/browse/libxml2/commit/?id=de0cc20c29cb3f056062925395e0f68d2250a46f

http://seclists.org/oss-sec/2013/q2/106

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

libxml2 Multiple Use-After-Free Vulnerabilities

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.