| 제목 | LibXML2 xmlcatalog the newest master stack overflow |
|---|
| 설명 | ## Summary
A critical infinite recursion vulnerability exists in libxml2's xmlcatalog tool when processing malformed SGML catalog files. This vulnerability causes stack overflow and application crash via SIGSEGV due to unbounded recursive function calls between `xmlExpandCatalog` and `xmlParseSGMLCatalog`.
## Vulnerability Details
**Program**: xmlcatalog (libxml2)
**Crash Type**: SIGSEGV (Signal 11)
**Root Cause**: Infinite recursion in xmlExpandCatalog → xmlParseSGMLCatalog
**Trigger**: Malformed SGML catalog processing with specific parameter combinations
## Technical Analysis
### Stack Trace Pattern
```gdb
#0 xmlExpandCatalog (catal=0x..., filename=0x... "--verbose")
#1 xmlParseSGMLCatalog (catal=0x..., filename=0x... "--verbose", ...)
#2 xmlExpandCatalog (catal=0x..., filename=0x... "--verbose")
#3 xmlParseSGMLCatalog (catal=0x..., filename=0x... "--verbose", ...)
#4 xmlExpandCatalog (catal=0x..., filename=0x... "--verbose")
#5 xmlParseSGMLCatalog (catal=0x..., filename=0x... "--verbose", ...)
... (pattern repeats indefinitely until stack overflow)
```
### Vulnerability Mechanism
1. **Parameter Confusion**: The `--verbose` command-line parameter is incorrectly treated as a filename during catalog processing
2. **Recursive Entry**: `xmlExpandCatalog` attempts to parse this "filename" as an SGML catalog
3. **Infinite Loop**: `xmlExpandCatalog` calls `xmlParseSGMLCatalog`, which in turn calls `xmlExpandCatalog` again
4. **Stack Exhaustion**: The recursion continues without bounds until stack overflow occurs
5. **Process Termination**: Stack overflow triggers SIGSEGV, terminating the process
### Code Path Analysis
```
xmlcatalog main()
→ Command line parsing with --sgml --shell --create --add
→ xmlExpandCatalog(catal, "--verbose")
→ xmlParseSGMLCatalog(catal, "--verbose", ...)
→ xmlExpandCatalog(catal, "--verbose") [RECURSION BEGINS]
→ xmlParseSGMLCatalog(catal, "--verbose", ...)
→ xmlExpandCatalog(catal, "--verbose")
→ ... [INFINITE LOOP]
```
## Reproduction Steps
### Test Case
```bash
# Execute vulnerable command with POC file
./xmlcatalog --sgml --shell --create --add t --add resolve POC_libxml2_xmlcatalog_infinite_recursion.xml
```
### Expected Behavior
The command will:
1. Enter infinite recursion between `xmlExpandCatalog` and `xmlParseSGMLCatalog`
2. Consume stack memory until overflow
3. Crash with SIGSEGV (Signal 11)
4. Display stack trace showing recursive function calls
## Proof of Concept
**POC File**: [`POC_libxml2_xmlcatalog_infinite_recursion.xml` ](https://drive.google.com/file/d/1woIeYVcSQB_NwfEhaVnX6MedpWJ_nqWl/view?usp=drive_link)
|
|---|
| 원천 | ⚠️ https://gitlab.gnome.org/GNOME/libxml2/-/issues/958 |
|---|
| 사용자 | Anonymous User |
|---|
| 제출 | 2025. 07. 25. AM 08:08 (9 개월 ago) |
|---|
| 모더레이션 | 2025. 08. 08. AM 09:50 (14 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 319228 [libxml2 까지 2.14.5 xmlcatalog xmlParseSGMLCatalog 서비스 거부] |
|---|
| 포인트들 | 20 |
|---|