New issue
Advanced search Search tips
Starred by 4 users

Issue metadata

Status: Fixed
Owner:
Closed: Sep 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

libxml2 - Heap Overflow in xmlMemStrdupLoc

Reported by pranjal....@gmail.com, May 14 2017

Issue description

UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36

Steps to reproduce the problem:
Gnome bugzilla's security issues are not restricted, so creating a bug here.

While allocating memory for p,

p = (MEMHDR *) malloc(RESERVE_SIZE+size);

RESERVE_SIZE+size can wrap-around if size is greater than SIZE_MAX - RESERVE_SIZE causing a heap overflow while copying  str into s

strcpy(s,str);

Patch attached.

What is the expected behavior?

What went wrong?
Heap Overflow. 

Did this work before? N/A 

Chrome version: 57.0.2987.133  Channel: n/a
OS Version: 
Flash Version:
 
xmlMemStrdupLoc.patch
499 bytes Download

Comment 1 by aarya@google.com, May 15 2017

Labels: -Pri-2 Pri-1
Owner: dominicc@chromium.org
Please provide link to bugzilla report. Also, does it have a reproducer ?
Project Member

Comment 2 by sheriffbot@chromium.org, May 15 2017

Status: Assigned (was: Unconfirmed)
I didn't create a gnome bugzilla because security bugs are not restricted. Exploitation of this issue might be difficult but I just wanted to err on the safe side. 

I don't have a reproducer yet. I'll update this report as soon as I'm able to come up with one.
You can file a blank upstream bug and ask for it to be restricted. Please CC dominicc@chromium.org on these bugs. Thanks!

Comment 5 by kenrb@chromium.org, May 25 2017

Status: ExternalDependency (was: Assigned)
Cc: tkent@chromium.org
Components: Blink>XML
Labels: Needs-Feedback
Status: Available (was: ExternalDependency)
I think we have work to do for these sort of bugs so let's not make these ExternalDependency. This is just NeedsFeedback as usual.
Project Member

Comment 7 by sheriffbot@chromium.org, May 30 2017

Status: Assigned (was: Available)
Labels: Security_Impact-Stable M-60 Security_Severity-High
Project Member

Comment 10 by sheriffbot@chromium.org, Jun 13 2017

dominicc: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Status: Started (was: Assigned)
OK, apparently we need to roll libxml2.
Patch up for review at https://chromium-review.googlesource.com/c/535233/
Project Member

Comment 13 by sheriffbot@chromium.org, Jul 13 2017

Labels: Deadline-Exceeded
We commit ourselves to a 60 day deadline for fixing for high severity vulnerabilities, and have exceeded it here. If you're unable to look into this soon, could you please find another owner or remove yourself so that this gets back into the security triage queue?

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 14 by sheriffbot@chromium.org, Sep 6 2017

Labels: -M-60 M-61
dominicc: I see that CL in #12 was landed. Can this be marked as fixed now? 
Status: Fixed (was: Started)
Labels: reward-topanel
Project Member

Comment 18 by sheriffbot@chromium.org, Sep 27 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Hi pranjal.jumde@ - the Chrome VRP Panel declined to reward for this bug, but noted they would take another look if you could illustrate how it could be exploited via Chrome.

However, you might want to look at https://www.google.com/about/appsecurity/patch-rewards/ since you provided a security relevant patch that was used.  Cheers!
It would be hard to exploit this one, I am not looking for a reward but just wanted this issue to be addressed. 

Do you plan to release a CVE for this?
Labels: -reward-topanel -M-61 M-62 reward-0
Thanks pranjal.jumde@, - yep, this should get a CVE allocated when M62 goes stable in the next few weeks.  Cheers!
Labels: Release-0-M62
Labels: CVE-2017-5130
Project Member

Comment 24 by sheriffbot@chromium.org, Oct 27 2017

Labels: Merge-Request-63
Project Member

Comment 25 by sheriffbot@chromium.org, Oct 27 2017

Labels: -Merge-Request-63 Merge-Review-63 Hotlist-Merge-Review
This bug requires manual review: M63 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), gkihumba@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Cc: awhalley@chromium.org
+awhalley@ (Security TPM) for M63 merge review
Labels: -Hotlist-Merge-Review -Merge-Review-63
No merge needed, not sure why sheriffbot thought differently
Project Member

Comment 28 by sheriffbot@chromium.org, Jan 3 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 29 by kenrb@chromium.org, Feb 28 2018

 Issue 816860  has been merged into this issue.
Labels: CVE_description-submitted

Sign in to add a comment