New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 4 users

Issue metadata

Status: Fixed
Last visit > 30 days ago
Closed: Sep 2017
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security

Sign in to add a comment

Issue 722079: libxml2 - Heap Overflow in xmlMemStrdupLoc

Reported by, May 14 2017

Issue description

UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36

Steps to reproduce the problem:
Gnome bugzilla's security issues are not restricted, so creating a bug here.

While allocating memory for p,

p = (MEMHDR *) malloc(RESERVE_SIZE+size);

RESERVE_SIZE+size can wrap-around if size is greater than SIZE_MAX - RESERVE_SIZE causing a heap overflow while copying  str into s


Patch attached.

What is the expected behavior?

What went wrong?
Heap Overflow. 

Did this work before? N/A 

Chrome version: 57.0.2987.133  Channel: n/a
OS Version: 
Flash Version:
499 bytes Download

Comment 1 by, May 15 2017

Labels: -Pri-2 Pri-1
Please provide link to bugzilla report. Also, does it have a reproducer ?

Comment 2 by, May 15 2017

Project Member
Status: Assigned (was: Unconfirmed)

Comment 3 by, May 16 2017

I didn't create a gnome bugzilla because security bugs are not restricted. Exploitation of this issue might be difficult but I just wanted to err on the safe side. 

I don't have a reproducer yet. I'll update this report as soon as I'm able to come up with one.

Comment 4 by, May 22 2017

You can file a blank upstream bug and ask for it to be restricted. Please CC on these bugs. Thanks!

Comment 5 by, May 25 2017

Status: ExternalDependency (was: Assigned)

Comment 6 by, May 30 2017

Components: Blink>XML
Labels: Needs-Feedback
Status: Available (was: ExternalDependency)
I think we have work to do for these sort of bugs so let's not make these ExternalDependency. This is just NeedsFeedback as usual.

Comment 7 by, May 30 2017

Project Member
Status: Assigned (was: Available)

Comment 8 by, Jun 9 2017

Labels: Security_Impact-Stable M-60 Security_Severity-High

Comment 10 by, Jun 13 2017

Project Member
dominicc: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit - Your friendly Sheriffbot

Comment 11 by, Jun 14 2017

Status: Started (was: Assigned)
OK, apparently we need to roll libxml2.

Comment 12 by, Jun 14 2017

Comment 13 by, Jul 13 2017

Project Member
Labels: Deadline-Exceeded
We commit ourselves to a 60 day deadline for fixing for high severity vulnerabilities, and have exceeded it here. If you're unable to look into this soon, could you please find another owner or remove yourself so that this gets back into the security triage queue?

For more details visit - Your friendly Sheriffbot

Comment 14 by, Sep 6 2017

Project Member
Labels: -M-60 M-61

Comment 15 by, Sep 19 2017

dominicc: I see that CL in #12 was landed. Can this be marked as fixed now?

Comment 16 by, Sep 26 2017

Status: Fixed (was: Started)

Comment 17 by, Sep 27 2017

Labels: reward-topanel

Comment 18 by, Sep 27 2017

Project Member
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 19 by, Oct 6 2017

Hi pranjal.jumde@ - the Chrome VRP Panel declined to reward for this bug, but noted they would take another look if you could illustrate how it could be exploited via Chrome.

However, you might want to look at since you provided a security relevant patch that was used.  Cheers!

Comment 20 by, Oct 6 2017

It would be hard to exploit this one, I am not looking for a reward but just wanted this issue to be addressed. 

Do you plan to release a CVE for this?

Comment 21 by, Oct 11 2017

Labels: -reward-topanel -M-61 M-62 reward-0
Thanks pranjal.jumde@, - yep, this should get a CVE allocated when M62 goes stable in the next few weeks.  Cheers!

Comment 22 by, Oct 16 2017

Labels: Release-0-M62

Comment 23 by, Oct 18 2017

Labels: CVE-2017-5130

Comment 24 by, Oct 27 2017

Project Member
Labels: Merge-Request-63

Comment 25 by, Oct 27 2017

Project Member
Labels: -Merge-Request-63 Merge-Review-63 Hotlist-Merge-Review
This bug requires manual review: M63 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), gkihumba@(ChromeOS), govind@(Desktop)

For more details visit - Your friendly Sheriffbot

Comment 26 by, Oct 27 2017

+awhalley@ (Security TPM) for M63 merge review

Comment 27 by, Oct 30 2017

Labels: -Hotlist-Merge-Review -Merge-Review-63
No merge needed, not sure why sheriffbot thought differently

Comment 28 by, Jan 3 2018

Project Member
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot

Comment 29 by, Feb 28 2018

 Issue 816860  has been merged into this issue.

Comment 30 by, Apr 25 2018

Labels: CVE_description-submitted

Sign in to add a comment