Vigil@nce: libxslt, double memory free via xmlFreeNodeList
October 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use malicious XSLT data, in order to stop applications linked to libxslt, and possibly to execute code.
Impacted products: Debian, Fedora, MES, Mandriva Linux, openSUSE,
RHEL, Unix (platform)
Creation date: 08/10/2012
DESCRIPTION OF THE VULNERABILITY
The libxslt library processes XSLT transformations to be applied on an XML document.
The xsltAttrTemplateProcess() and xsltAttrListTemplateProcess() functions of the libxslt/templates.c file can be used to process attributes on a template. However, if the attribute value is member of a dictionary, this value is freed twice by the xmlFreeNodeList() function.
An attacker can therefore use malicious XSLT data, in order to stop applications linked to libxslt, and possibly to execute code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN