Vigil@nce: libxml2, memory corruption via XPath
June 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can use the XPath language to corrupt the libxml2
memory, in order to create a denial of service or to execute code.
– Severity: 2/4
– Creation date: 31/05/2011
IMPACTED PRODUCTS
– Debian Linux
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The XPath language is used to select XML nodes.
The libxml2 library creates XML documents and manages attributes
in dada structure.
The function XmlXPathNodeSetAddNs() permits to add nodes in the
current analysed structure. However, if the xpath expression is
type of: "//@*/ preceding:: node ()/ancestor::node()/ancestor::foo[’foo’]",
the function xmlXPathNodeSetAddNs() then double the value of
cur->nodeMax without a memory reallocation, causing a memory
corruption.
An attacker can therefore use the XPath language to corrupt the
libxml2 memory, in order to create a denial of service or to
execute code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/libxml2-memory-corruption-via-XPath-10696