Vigil@nce: libxml2, buffer overflow via an entity
September 2008 by Vigil@nce
SYNTHESIS
An attacker can create a malformed XML file in order to create a
denial of service or code execution when it is analyzed by libxml2.
Gravity: 3/4
Consequences: user access/rights, denial of service of service
Provenance: document
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 12/09/2008
Identifier: VIGILANCE-VUL-8106
IMPACTED PRODUCTS
– Mandriva Corporate [confidential versions]
– Mandriva Linux [confidential versions]
– Red Hat Enterprise Linux [confidential versions]
– Unix - plateform
DESCRIPTION
The libxml2 library implements features to handle data in XML
format.
An XML file can contain special characters represented as
entities, such as "<".
The xmlParseAttValueComplex() function of parser.c file analyzes
entities contained in the value of an attribute. The
replaceEntities field of the _xmlParserCtxt structure indicates if
entities have to be converted or not.
When entities are not converted, and if an entity is unknown, it
is simply copied in the output array. However, the array size is
not extended to contain this entity.
An attacker can therefore use a long entity in order to generate
an overflow leading to a denial of service or to code execution.
CHARACTERISTICS
Identifiers: 461015, BID-31126, CVE-2008-3529, MDVSA-2008:192,
RHSA-2008:0884-01, RHSA-2008:0886-01, VIGILANCE-VUL-8106