This is a disclosure of the following issue that was raised a week ago
on the distro's mailing list. Both bugs on the gnome bugtracker are
currently private and should be made public now.
A couple of weeks back while working on a related bug [CVE-2016-3627] I
discovered a specially created xml file is capable of triggering a stack
overflow before libxml2 can detect its a invalid xml file.
We raised this issue upstream on 2016-04-18 and informed them that we
would place a two week embargo on the issue in case we didn't here back.
As of yet we have had no response so we have posted here.
https://bugzilla.gnome.org/show_bug.cgi?id=765207
We intend to keep the current embargo (ending May 3) unless we get
advise otherwise here. Below is a script to generate the xml file.
The functions xmlParserEntityCheck() and xmlParseAttValueComplex() used
to call xmlStringDecodeEntities() in a recursive context without incrementing the 'depth' counter in the parser context. Because of that omission, the parser
failed to detect attribute recursions in certain documents before running out
of stack space.
Hope this helps guide those that have the skill to take it further.
Advertising