Bug#496125: marked as done (libxml2: security fix does double free / segfaults (breaks Gnome apps))

Mon, 25 Aug 2008 15:09:10 -0700 

Your message dated Mon, 25 Aug 2008 21:18:55 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#496125: fixed in libxml2 2.6.32.dfsg-3
has caused the Debian Bug report #496125,
regarding libxml2: security fix does double free / segfaults (breaks Gnome apps)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
496125: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496125
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message --- 
Package: libxml2
Version: 2.6.32.dfsg-2+lenny
Severity: grave
Justification: renders package unusable


See the thread "Lenny users: attn about Gnome/libxml2 breakage" on the
debian-user mailing list (at the time of writing this bug report, the
archive didn't index those mails yet so I can't give an url).

Here is the text:

    Today I did the usual dist-upgrade for my "testing" install, and
    it left me with a badly broken (from user's perspective)
    installation, because basically all Gnome applications stopped
    working. After a bit over 2 hours worth of investigation, I've
    found out how to solve the issue; since I first looked here and
    didn't find anything gnome related, I'm sending this to the list
    for the casual other victim.

    Symptom: Gnome apps just hang, without outputting anything to
    stdout/stderr (or .xsession-errors if started through the menu).

    Problem: the apps segfault inside libxml2, and thereafter enter a
    deadlocked state in a mutex (or in a select call); the former is
    apparently a bug in libxml2, the latter seems to be the Gnome
    functionality to pop up a windows which seems to have an issue on
    it's own (so it's really two bugs happening here, obscuring the
    investigation a bit.)

    Solution: install libxml2 from unstable; this is actually a
    downgrade (from libxml2 2.6.32.dfsg-2+lenny to
    2.6.32.dfsg-2). I.e. "apt-get install -t unstable
    libxml2/unstable", but you need to have the unstable sources in
    apt.sources and use apt pinning (I won't explain that here, check
    other sources).

to which I added:

    I realize that the suggestion I wrote about undoes a security
    fix. So, don't do what I said, do something different (what about
    going outside and enjoying a walk?). Well ok, the issue said to be
    fixed is only a DoS (of course ironically it introduces another
    DoS ;) .

    Thanks in advance to the security team for fixing the fixes.

The segfaults happen in libxml2 for both applications (Galeon and
gnome-appearance-properties) which I ran under GDB:

#0  0x00007f6038aa95c8 in _int_free (av=0x7f6038d829e0, mem=0xc9ad10) at 
malloc.c:4663
#1  0x00007f6038aa9a76 in *__GI___libc_free (mem=0xc9ad10) at malloc.c:3626
#2  0x00007f603c54f065 in xmlParseEntityDecl__internal_alias (ctxt=0xcb1700) at 
parser.c:4809
#3  0x00007f603c54f7e6 in xmlParseMarkupDecl__internal_alias 
(ctxt=0x7f6038d829e0) at parser.c:5947
#4  0x00007f603c54f87e in xmlParseInternalSubset (ctxt=0xcb1700) at 
parser.c:7310
#5  0x00007f603c550626 in xmlParseChunk__internal_alias (ctxt=0xcb1700, 
    chunk=<value optimized out>, size=<value optimized out>, terminate=0) at 
parser.c:10782
#6  0x00007f602bac4cd0 in ?? () from /usr/lib/librsvg-2.so.2
#7  0x00007f602bcf0d7c in ?? () from 
/usr/lib/gtk-2.0/2.10.0/loaders/svg_loader.so
#8  0x00007f603a5d4c99 in IA__gdk_pixbuf_loader_write (loader=0xb28ea0, 
    buf=0xc94180 "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<!-- Generator: 
Adobe Illustrator 10.0.3, SVG Export Plug-In . SVG Version: 3.0.0 Build 77)  
-->\n<!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.0//EN\"    \"http://www.w3";..., 
count=4082, error=0xcc8528)
    at /scratch/build-area/gtk+2.0-2.12.11/gdk-pixbuf/gdk-pixbuf-loader.c:475
#9  0x00007f603ab9c530 in icon_info_ensure_scale_and_pixbuf 
(icon_info=0xcc84f0, 
    scale_only=<value optimized out>)
    at /scratch/build-area/gtk+2.0-2.12.11/gtk/gtkicontheme.c:2743
...
(you can see the rest of the backtraces in my mailing list email)

Here I'll also post the top of a "bt full", which indicates that glibc
complains about a double free:

#0  0x00007f4c4ab725c8 in _int_free (av=0x7f4c4ae4b9e0, mem=0xc9b570) at 
malloc.c:4663
        p = (mchunkptr) 0xc9b560
        size = 320
        nextchunk = (mchunkptr) 0xc9b6a0
        nextsize = 144
        prevsize = <value optimized out>
        bck = (mchunkptr) 0x11
        fwd = (mchunkptr) 0x0
        errstr = 0x7f4c4ac1a8d8 "double free or corruption (!prev)"
#1  0x00007f4c4ab72a76 in *__GI___libc_free (mem=0xc9b570) at malloc.c:3626
        ar_ptr = (mstate) 0x7f4c4ae4b9e0
        p = (mchunkptr) 0x1
        hook = <value optimized out>
#2  0x00007f4c4e618065 in xmlParseEntityDecl__internal_alias (ctxt=0xc9a450) at 
parser.c:4809
        name = (const xmlChar *) 0xc9b053 "ns_flows"
        value = (xmlChar *) 0xc9b570 "http://ns.adobe.com/Flows/1.0/";
        URI = <value optimized out>
        literal = (xmlChar *) 0x0
        ndata = <value optimized out>
        isParameter = 0
        orig = (xmlChar *) 0xc9b500 "http://ns.adobe.com/Flows/1.0/";
        skipped = <value optimized out>
        oldnbent = 0
#3  0x00007f4c4e6187e6 in xmlParseMarkupDecl__internal_alias 
(ctxt=0x7f4c4ae4b9e0) at parser.c:5947
#4  0x00007f4c4e61887e in xmlParseInternalSubset (ctxt=0xc9a450) at 
parser.c:7310
No locals.
No locals.
#5  0x00007f4c4e619626 in xmlParseChunk__internal_alias (ctxt=0xc9a450, 
    chunk=<value optimized out>, size=<value optimized out>, terminate=0) at 
parser.c:10782
        end_in_lf = 0
#6  0x00007f4c3db8dcd0 in ?? () from /usr/lib/librsvg-2.so.2
No symbol table info available.
#7  0x00007f4c3ddb9d7c in ?? () from 
/usr/lib/gtk-2.0/2.10.0/loaders/svg_loader.so
No symbol table info available.
....


(BTW there seem to be no debugging symbols available in any Debian
package for librsvg-2. (Is this a bug of the librsvg-2 package?))

Christian.


-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (900, 'testing'), (800, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libxml2 depends on:
ii  libc6                  2.7-13            GNU C Library: Shared libraries
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

Versions of packages libxml2 recommends:
ii  xml-core                      0.11       XML infrastructure and XML catalog

libxml2 suggests no packages.

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: libxml2
Source-Version: 2.6.32.dfsg-3

We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive:

libxml2-dbg_2.6.32.dfsg-3_amd64.deb
  to pool/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-3_amd64.deb
libxml2-dev_2.6.32.dfsg-3_amd64.deb
  to pool/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-3_amd64.deb
libxml2-doc_2.6.32.dfsg-3_all.deb
  to pool/main/libx/libxml2/libxml2-doc_2.6.32.dfsg-3_all.deb
libxml2-utils_2.6.32.dfsg-3_amd64.deb
  to pool/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-3_amd64.deb
libxml2_2.6.32.dfsg-3.diff.gz
  to pool/main/libx/libxml2/libxml2_2.6.32.dfsg-3.diff.gz
libxml2_2.6.32.dfsg-3.dsc
  to pool/main/libx/libxml2/libxml2_2.6.32.dfsg-3.dsc
libxml2_2.6.32.dfsg-3_amd64.deb
  to pool/main/libx/libxml2/libxml2_2.6.32.dfsg-3_amd64.deb
python-libxml2_2.6.32.dfsg-3_amd64.deb
  to pool/main/libx/libxml2/python-libxml2_2.6.32.dfsg-3_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mike Hommey <[EMAIL PROTECTED]> (supplier of updated libxml2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 25 Aug 2008 22:01:17 +0200
Source: libxml2
Binary: libxml2 libxml2-utils libxml2-dev libxml2-dbg libxml2-doc python-libxml2
Architecture: source all amd64
Version: 2.6.32.dfsg-3
Distribution: unstable
Urgency: high
Maintainer: Debian XML/SGML Group <[EMAIL PROTECTED]>
Changed-By: Mike Hommey <[EMAIL PROTECTED]>
Description: 
 libxml2    - GNOME XML library
 libxml2-dbg - Debugging symbols for the GNOME XML library
 libxml2-dev - Development files for the GNOME XML library
 libxml2-doc - Documentation for the GNOME XML library
 libxml2-utils - XML utilities
 python-libxml2 - Python bindings for the GNOME XML library
Closes: 496125
Changes: 
 libxml2 (2.6.32.dfsg-3) unstable; urgency=high
 .
   * Fix DoS which leads to recursive evaluation of entities.
     Fixes: CVE-2008-3281, without breaking librsvg and others. Closes: #496125.
Checksums-Sha1: 
 2e760d367906f7ef0e0f95f2ac402e8729c76e65 1316 libxml2_2.6.32.dfsg-3.dsc
 3daaf05086eb21bb9241e9534c2d8d44574a054f 80290 libxml2_2.6.32.dfsg-3.diff.gz
 9150d6354a635148615673330d4dbe2a54a72b64 1341996 
libxml2-doc_2.6.32.dfsg-3_all.deb
 fdd694cc46a421888403a1633c5510486ac0f1a6 859642 libxml2_2.6.32.dfsg-3_amd64.deb
 ccfc109f58909ea146a796d3d4493714cd0e1815 37392 
libxml2-utils_2.6.32.dfsg-3_amd64.deb
 a3bfaee27e74a7843166a0e707dee145d45c24b3 774596 
libxml2-dev_2.6.32.dfsg-3_amd64.deb
 320558fc0ddda2a6b5342e2fe10b4c0d16c135ef 988426 
libxml2-dbg_2.6.32.dfsg-3_amd64.deb
 81dbe795777d139935b5e2ba943c4cf449e273c9 295344 
python-libxml2_2.6.32.dfsg-3_amd64.deb
Checksums-Sha256: 
 1f933b777546bd7cdd95643a6e71c97d7750f6445fba7c461c3afb000db70085 1316 
libxml2_2.6.32.dfsg-3.dsc
 b95151d38c86d5cefbad7642b6240e4839c10a19dc4b2bf83d40da2fd29f2526 80290 
libxml2_2.6.32.dfsg-3.diff.gz
 f3583b229010e45f46bce230b9d3253258119ce7aa6332ac293d7bfe87b78a8a 1341996 
libxml2-doc_2.6.32.dfsg-3_all.deb
 43bb3761e5ae8bc42ec6ff2f508fb9b532a87775728e20e3d1e3f43677e7c489 859642 
libxml2_2.6.32.dfsg-3_amd64.deb
 92b56f93a05538b6f4aa28733ac99af0773213c258abb743238167991cfb4a71 37392 
libxml2-utils_2.6.32.dfsg-3_amd64.deb
 866e22a3b435dd5737b292e4fda6cf8ff0a2c01d39b888ad4c88f17a67f397b0 774596 
libxml2-dev_2.6.32.dfsg-3_amd64.deb
 9c80aa4f100205136da5d6da8c26773c5b05747d152fa769e93c56d25565a17b 988426 
libxml2-dbg_2.6.32.dfsg-3_amd64.deb
 7e51a65cfdfe938f4a8eb6b6f172c026bde15ad1cbbbc4c02bb5d1086d7dfd12 295344 
python-libxml2_2.6.32.dfsg-3_amd64.deb
Files: 
 302068c096d8fba6725a385e1f9150c9 1316 libs optional libxml2_2.6.32.dfsg-3.dsc
 9f086387f32b036909e263134dabe742 80290 libs optional 
libxml2_2.6.32.dfsg-3.diff.gz
 4b7bf63100e121ff932966261f574882 1341996 doc optional 
libxml2-doc_2.6.32.dfsg-3_all.deb
 73ce8c7ead1f98119efdb2544050c732 859642 libs optional 
libxml2_2.6.32.dfsg-3_amd64.deb
 48e83517e3c85cad0083ad5e6771b643 37392 text optional 
libxml2-utils_2.6.32.dfsg-3_amd64.deb
 8eac4cbf3a4bee9465181e4c74adb56d 774596 libdevel optional 
libxml2-dev_2.6.32.dfsg-3_amd64.deb
 4b019ca5522090c118f2b169adb75350 988426 libdevel extra 
libxml2-dbg_2.6.32.dfsg-3_amd64.deb
 b48a6580d51dc2d0c6ed6a9187065dc0 295344 python optional 
python-libxml2_2.6.32.dfsg-3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFIsxcZ3kvaLFT9KlgRAjhnAJ42+CZXM97mB9lsUvMcjk7DObchPACgg80U
uyDN/t7LrTLsPht+4WPsKXE=
=so5o
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to