Vigil@nce: libxml2, buffer overflow via an entity
September 2008 by Vigil@nce
An attacker can create a malformed XML file in order to create a denial of service or code execution when it is analyzed by libxml2.
Consequences: user access/rights, denial of service of service
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 12/09/2008
Mandriva Corporate [confidential versions]
Mandriva Linux [confidential versions]
Red Hat Enterprise Linux [confidential versions]
Unix - plateform
The libxml2 library implements features to handle data in XML format.
An XML file can contain special characters represented as entities, such as "<".
The xmlParseAttValueComplex() function of parser.c file analyzes entities contained in the value of an attribute. The replaceEntities field of the _xmlParserCtxt structure indicates if entities have to be converted or not.
When entities are not converted, and if an entity is unknown, it is simply copied in the output array. However, the array size is not extended to contain this entity.
An attacker can therefore use a long entity in order to generate an overflow leading to a denial of service or to code execution.
Identifiers: 461015, BID-31126, CVE-2008-3529, MDVSA-2008:192, RHSA-2008:0884-01, RHSA-2008:0886-01, VIGILANCE-VUL-8106