Lucene search

HistoryNov 27, 2017 - 6:37 a.m.

Internet Bug Bounty: Multiple issues in Libxml2 (2.9.2 - 2.9.5)


0.036 Low




Libxml2 is the XML C parser and toolkit developed for the Gnome project. Due to its flexible C implementation and continuous development, Libxml2 is known to be very portable, the library builds and works on a variety of systems (Linux, Unix, Windows, CygWin, MacOS, MacOS X, RISC Os, OS/2, VMS, QNX, MVS, VxWorks, …). It is or has been adopted by many major vendors or products including Google (Chrome), VMWare, Apple (Safari, Mac OSX, iOS, …), and many embedded systems. As in the Google Patch Rewards , Libxml2 is listed in the category of core infrastructure data parsers.

From 2015-2016, our fuzzing work on Libxml2 has systematically identified a sequence of bugs including use-after-free, out-of-bound read, infinite recursions, they are submitted to both Libxml2 and Apple (which internally maintains a highly-synchronized branch of the official Libxml2), some of the bugs are resolved in recent releases, including the following:

Credited in both Libxml2-2.9.4 and Apple iOS 9.3.2 / OSX 10.11.5:

CVE-2016-1835: Libxml2 Use-after-Free in xmlSAX2AttributeNs

CVE-2016-1836: Libxml2 Use-after-Free in xmlParseNCNameComplex

CVE-2016-1837: Libxml2 Use-after-Free in htmlParsePubidLiteral / htmlParseSystemLiteral

Credited in Apple iOS 9.2 / OSX 10.11.2, and (silently) fixed in Libxml2-2.9.3:

CVE-2016-7115: Libxml2 xmlParseNCNameComplex OOB Read

CVE-2016-7116: Libxml2 xmlParseTryOrFinish OOB Read

And a few others:

CVE-2016-1762: Libxml2 xmlParseInternalSubset Out-of-Bound Read Vulnerability (iOS/OSX)

CVE-2016-4447: Libxml2 xmlParseElementDecl Out-of-Bound Read Vulnerability (iOS/OSX)

Recently in Libxml2 2.9.7:

CVE-2017-16931: Libxml2 xmlParseNameComplex Use-after-Free Vulnerability

CVE-2017-16932: Libxml2 Parameter Entity Infinite Recursion Vulnerability

Much efforts of patch work should be attributed to Daniel Veillard (Libxml2 developer), David Kilzer (Apple), Pranjal Jumde (Apple), Nick Wellnhofer and possibly others.


Exploitability subject to context, especially when the parser is exposed to external XML. In some situations if the XML engine is used in conjunction with a JS engine, exploitation could be easier.