Submeter #622285: LibXML2 xmlcatalog the newest master stack overflowinformação

TítuloLibXML2 xmlcatalog the newest master stack overflow
Descrição## Summary A critical infinite recursion vulnerability exists in libxml2's xmlcatalog tool when processing malformed SGML catalog files. This vulnerability causes stack overflow and application crash via SIGSEGV due to unbounded recursive function calls between `xmlExpandCatalog` and `xmlParseSGMLCatalog`. ## Vulnerability Details **Program**: xmlcatalog (libxml2) **Crash Type**: SIGSEGV (Signal 11) **Root Cause**: Infinite recursion in xmlExpandCatalog → xmlParseSGMLCatalog **Trigger**: Malformed SGML catalog processing with specific parameter combinations ## Technical Analysis ### Stack Trace Pattern ```gdb #0 xmlExpandCatalog (catal=0x..., filename=0x... "--verbose") #1 xmlParseSGMLCatalog (catal=0x..., filename=0x... "--verbose", ...) #2 xmlExpandCatalog (catal=0x..., filename=0x... "--verbose") #3 xmlParseSGMLCatalog (catal=0x..., filename=0x... "--verbose", ...) #4 xmlExpandCatalog (catal=0x..., filename=0x... "--verbose") #5 xmlParseSGMLCatalog (catal=0x..., filename=0x... "--verbose", ...) ... (pattern repeats indefinitely until stack overflow) ``` ### Vulnerability Mechanism 1. **Parameter Confusion**: The `--verbose` command-line parameter is incorrectly treated as a filename during catalog processing 2. **Recursive Entry**: `xmlExpandCatalog` attempts to parse this "filename" as an SGML catalog 3. **Infinite Loop**: `xmlExpandCatalog` calls `xmlParseSGMLCatalog`, which in turn calls `xmlExpandCatalog` again 4. **Stack Exhaustion**: The recursion continues without bounds until stack overflow occurs 5. **Process Termination**: Stack overflow triggers SIGSEGV, terminating the process ### Code Path Analysis ``` xmlcatalog main() → Command line parsing with --sgml --shell --create --add → xmlExpandCatalog(catal, "--verbose") → xmlParseSGMLCatalog(catal, "--verbose", ...) → xmlExpandCatalog(catal, "--verbose") [RECURSION BEGINS] → xmlParseSGMLCatalog(catal, "--verbose", ...) → xmlExpandCatalog(catal, "--verbose") → ... [INFINITE LOOP] ``` ## Reproduction Steps ### Test Case ```bash # Execute vulnerable command with POC file ./xmlcatalog --sgml --shell --create --add t --add resolve POC_libxml2_xmlcatalog_infinite_recursion.xml ``` ### Expected Behavior The command will: 1. Enter infinite recursion between `xmlExpandCatalog` and `xmlParseSGMLCatalog` 2. Consume stack memory until overflow 3. Crash with SIGSEGV (Signal 11) 4. Display stack trace showing recursive function calls ## Proof of Concept **POC File**: [`POC_libxml2_xmlcatalog_infinite_recursion.xml` ](https://drive.google.com/file/d/1woIeYVcSQB_NwfEhaVnX6MedpWJ_nqWl/view?usp=drive_link)
Fonte⚠️ https://gitlab.gnome.org/GNOME/libxml2/-/issues/958
Utilizador
 Anonymous User
Submissão25/07/2025 08h08 (há 9 meses)
Moderação08/08/2025 09h50 (14 days later)
EstadoAceite
Entrada VulDB319228 [libxml2 até 2.14.5 xmlcatalog xmlParseSGMLCatalog Negação de Serviço]
Pontos20

VoltarVisão GeralPróximo

Want to know what is going to be exploited?

We predict KEV entries!