Submit #622285: LibXML2 xmlcatalog the newest master stack overflowinfo

TitelLibXML2 xmlcatalog the newest master stack overflow
Beschreibung## Summary A critical infinite recursion vulnerability exists in libxml2's xmlcatalog tool when processing malformed SGML catalog files. This vulnerability causes stack overflow and application crash via SIGSEGV due to unbounded recursive function calls between `xmlExpandCatalog` and `xmlParseSGMLCatalog`. ## Vulnerability Details **Program**: xmlcatalog (libxml2) **Crash Type**: SIGSEGV (Signal 11) **Root Cause**: Infinite recursion in xmlExpandCatalog → xmlParseSGMLCatalog **Trigger**: Malformed SGML catalog processing with specific parameter combinations ## Technical Analysis ### Stack Trace Pattern ```gdb #0 xmlExpandCatalog (catal=0x..., filename=0x... "--verbose") #1 xmlParseSGMLCatalog (catal=0x..., filename=0x... "--verbose", ...) #2 xmlExpandCatalog (catal=0x..., filename=0x... "--verbose") #3 xmlParseSGMLCatalog (catal=0x..., filename=0x... "--verbose", ...) #4 xmlExpandCatalog (catal=0x..., filename=0x... "--verbose") #5 xmlParseSGMLCatalog (catal=0x..., filename=0x... "--verbose", ...) ... (pattern repeats indefinitely until stack overflow) ``` ### Vulnerability Mechanism 1. **Parameter Confusion**: The `--verbose` command-line parameter is incorrectly treated as a filename during catalog processing 2. **Recursive Entry**: `xmlExpandCatalog` attempts to parse this "filename" as an SGML catalog 3. **Infinite Loop**: `xmlExpandCatalog` calls `xmlParseSGMLCatalog`, which in turn calls `xmlExpandCatalog` again 4. **Stack Exhaustion**: The recursion continues without bounds until stack overflow occurs 5. **Process Termination**: Stack overflow triggers SIGSEGV, terminating the process ### Code Path Analysis ``` xmlcatalog main() → Command line parsing with --sgml --shell --create --add → xmlExpandCatalog(catal, "--verbose") → xmlParseSGMLCatalog(catal, "--verbose", ...) → xmlExpandCatalog(catal, "--verbose") [RECURSION BEGINS] → xmlParseSGMLCatalog(catal, "--verbose", ...) → xmlExpandCatalog(catal, "--verbose") → ... [INFINITE LOOP] ``` ## Reproduction Steps ### Test Case ```bash # Execute vulnerable command with POC file ./xmlcatalog --sgml --shell --create --add t --add resolve POC_libxml2_xmlcatalog_infinite_recursion.xml ``` ### Expected Behavior The command will: 1. Enter infinite recursion between `xmlExpandCatalog` and `xmlParseSGMLCatalog` 2. Consume stack memory until overflow 3. Crash with SIGSEGV (Signal 11) 4. Display stack trace showing recursive function calls ## Proof of Concept **POC File**: [`POC_libxml2_xmlcatalog_infinite_recursion.xml` ](https://drive.google.com/file/d/1woIeYVcSQB_NwfEhaVnX6MedpWJ_nqWl/view?usp=drive_link)
Quelle⚠️ https://gitlab.gnome.org/GNOME/libxml2/-/issues/958
Benutzer
 Anonymous User
Einreichung25.07.2025 08:08 (vor 9 Monaten)
Moderieren08.08.2025 09:50 (14 days later)
StatusAkzeptiert
VulDB Eintrag319228 [libxml2 bis 2.14.5 xmlcatalog xmlParseSGMLCatalog Denial of Service]
Punkte20

ZurückÜbersichtWeiter

Might our Artificial Intelligence support you?

Check our Alexa App!