Submit #622285: LibXML2 xmlcatalog the newest master stack overflowinfo

TitleLibXML2 xmlcatalog the newest master stack overflow
Description## Summary A critical infinite recursion vulnerability exists in libxml2's xmlcatalog tool when processing malformed SGML catalog files. This vulnerability causes stack overflow and application crash via SIGSEGV due to unbounded recursive function calls between `xmlExpandCatalog` and `xmlParseSGMLCatalog`. ## Vulnerability Details **Program**: xmlcatalog (libxml2) **Crash Type**: SIGSEGV (Signal 11) **Root Cause**: Infinite recursion in xmlExpandCatalog → xmlParseSGMLCatalog **Trigger**: Malformed SGML catalog processing with specific parameter combinations ## Technical Analysis ### Stack Trace Pattern ```gdb #0 xmlExpandCatalog (catal=0x..., filename=0x... "--verbose") #1 xmlParseSGMLCatalog (catal=0x..., filename=0x... "--verbose", ...) #2 xmlExpandCatalog (catal=0x..., filename=0x... "--verbose") #3 xmlParseSGMLCatalog (catal=0x..., filename=0x... "--verbose", ...) #4 xmlExpandCatalog (catal=0x..., filename=0x... "--verbose") #5 xmlParseSGMLCatalog (catal=0x..., filename=0x... "--verbose", ...) ... (pattern repeats indefinitely until stack overflow) ``` ### Vulnerability Mechanism 1. **Parameter Confusion**: The `--verbose` command-line parameter is incorrectly treated as a filename during catalog processing 2. **Recursive Entry**: `xmlExpandCatalog` attempts to parse this "filename" as an SGML catalog 3. **Infinite Loop**: `xmlExpandCatalog` calls `xmlParseSGMLCatalog`, which in turn calls `xmlExpandCatalog` again 4. **Stack Exhaustion**: The recursion continues without bounds until stack overflow occurs 5. **Process Termination**: Stack overflow triggers SIGSEGV, terminating the process ### Code Path Analysis ``` xmlcatalog main() → Command line parsing with --sgml --shell --create --add → xmlExpandCatalog(catal, "--verbose") → xmlParseSGMLCatalog(catal, "--verbose", ...) → xmlExpandCatalog(catal, "--verbose") [RECURSION BEGINS] → xmlParseSGMLCatalog(catal, "--verbose", ...) → xmlExpandCatalog(catal, "--verbose") → ... [INFINITE LOOP] ``` ## Reproduction Steps ### Test Case ```bash # Execute vulnerable command with POC file ./xmlcatalog --sgml --shell --create --add t --add resolve POC_libxml2_xmlcatalog_infinite_recursion.xml ``` ### Expected Behavior The command will: 1. Enter infinite recursion between `xmlExpandCatalog` and `xmlParseSGMLCatalog` 2. Consume stack memory until overflow 3. Crash with SIGSEGV (Signal 11) 4. Display stack trace showing recursive function calls ## Proof of Concept **POC File**: [`POC_libxml2_xmlcatalog_infinite_recursion.xml` ](https://drive.google.com/file/d/1woIeYVcSQB_NwfEhaVnX6MedpWJ_nqWl/view?usp=drive_link)
Source⚠️ https://gitlab.gnome.org/GNOME/libxml2/-/issues/958
User
 Anonymous User
Submission07/25/2025 08:08 (9 months ago)
Moderation08/08/2025 09:50 (14 days later)
StatusAccepted
VulDB entry319228 [libxml2 up to 2.14.5 xmlcatalog xmlParseSGMLCatalog recursion]
Points20

PreviousOverviewNext

Might our Artificial Intelligence support you?

Check our Alexa App!