New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 4 users

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Sep 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment
link

Issue 722079: libxml2 - Heap Overflow in xmlMemStrdupLoc

Reported by pranjal....@gmail.com, May 14 2017

Issue description

UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36

Steps to reproduce the problem:
Gnome bugzilla's security issues are not restricted, so creating a bug here.

While allocating memory for p,

p = (MEMHDR *) malloc(RESERVE_SIZE+size);

RESERVE_SIZE+size can wrap-around if size is greater than SIZE_MAX - RESERVE_SIZE causing a heap overflow while copying  str into s

strcpy(s,str);

Patch attached.

What is the expected behavior?

What went wrong?
Heap Overflow. 

Did this work before? N/A 

Chrome version: 57.0.2987.133  Channel: n/a
OS Version: 
Flash Version:
 
xmlMemStrdupLoc.patch
499 bytes Download

Comment 1 by aarya@google.com, May 15 2017

Labels: -Pri-2 Pri-1
Owner: dominicc@chromium.org
Please provide link to bugzilla report. Also, does it have a reproducer ?

Comment 2 by sheriffbot@chromium.org, May 15 2017

Project Member
Status: Assigned (was: Unconfirmed)

Comment 3 by pranjal....@gmail.com, May 16 2017

I didn't create a gnome bugzilla because security bugs are not restricted. Exploitation of this issue might be difficult but I just wanted to err on the safe side. 

I don't have a reproducer yet. I'll update this report as soon as I'm able to come up with one.

Comment 4 by dominicc@chromium.org, May 22 2017

You can file a blank upstream bug and ask for it to be restricted. Please CC dominicc@chromium.org on these bugs. Thanks!

Comment 5 by kenrb@chromium.org, May 25 2017

Status: ExternalDependency (was: Assigned)

Comment 6 by dominicc@chromium.org, May 30 2017

Cc: tkent@chromium.org
Components: Blink>XML
Labels: Needs-Feedback
Status: Available (was: ExternalDependency)
I think we have work to do for these sort of bugs so let's not make these ExternalDependency. This is just NeedsFeedback as usual.

Comment 7 by sheriffbot@chromium.org, May 30 2017

Project Member
Status: Assigned (was: Available)

Comment 8 by rsesek@chromium.org, Jun 9 2017

Labels: Security_Impact-Stable M-60 Security_Severity-High

Comment 10 by sheriffbot@chromium.org, Jun 13 2017

Project Member
dominicc: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 11 by dominicc@chromium.org, Jun 14 2017

Status: Started (was: Assigned)
OK, apparently we need to roll libxml2.

Comment 12 by dominicc@chromium.org, Jun 14 2017

Comment 13 by sheriffbot@chromium.org, Jul 13 2017

Project Member
Labels: Deadline-Exceeded
We commit ourselves to a 60 day deadline for fixing for high severity vulnerabilities, and have exceeded it here. If you're unable to look into this soon, could you please find another owner or remove yourself so that this gets back into the security triage queue?

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 14 by sheriffbot@chromium.org, Sep 6 2017

Project Member
Labels: -M-60 M-61

Comment 15 by raymes@chromium.org, Sep 19 2017

dominicc: I see that CL in #12 was landed. Can this be marked as fixed now?

Comment 16 by infe...@chromium.org, Sep 26 2017

Status: Fixed (was: Started)

Comment 17 by asymmetric@chromium.org, Sep 27 2017

Labels: reward-topanel

Comment 18 by sheriffbot@chromium.org, Sep 27 2017

Project Member
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 19 by awhalley@google.com, Oct 6 2017

Hi pranjal.jumde@ - the Chrome VRP Panel declined to reward for this bug, but noted they would take another look if you could illustrate how it could be exploited via Chrome.

However, you might want to look at https://www.google.com/about/appsecurity/patch-rewards/ since you provided a security relevant patch that was used.  Cheers!

Comment 20 by pranjal....@gmail.com, Oct 6 2017

It would be hard to exploit this one, I am not looking for a reward but just wanted this issue to be addressed. 

Do you plan to release a CVE for this?

Comment 21 by awhalley@chromium.org, Oct 11 2017

Labels: -reward-topanel -M-61 M-62 reward-0
Thanks pranjal.jumde@, - yep, this should get a CVE allocated when M62 goes stable in the next few weeks.  Cheers!

Comment 22 by awhalley@google.com, Oct 16 2017

Labels: Release-0-M62

Comment 23 by awhalley@chromium.org, Oct 18 2017

Labels: CVE-2017-5130

Comment 24 by sheriffbot@chromium.org, Oct 27 2017

Project Member
Labels: Merge-Request-63

Comment 25 by sheriffbot@chromium.org, Oct 27 2017

Project Member
Labels: -Merge-Request-63 Merge-Review-63 Hotlist-Merge-Review
This bug requires manual review: M63 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), gkihumba@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 26 by gov...@chromium.org, Oct 27 2017

Cc: awhalley@chromium.org
+awhalley@ (Security TPM) for M63 merge review

Comment 27 by awhalley@chromium.org, Oct 30 2017

Labels: -Hotlist-Merge-Review -Merge-Review-63
No merge needed, not sure why sheriffbot thought differently

Comment 28 by sheriffbot@chromium.org, Jan 3 2018

Project Member
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 29 by kenrb@chromium.org, Feb 28 2018

 Issue 816860  has been merged into this issue.

Comment 30 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-submitted

Sign in to add a comment