TUCoPS :: Linux :: Apps A-M :: bx3937.htm

libxslt heap overflow
libxslt heap overflow
libxslt heap overflow



Hi,

A heap overflow exists in libxslt when processing a crypto-related
built-in function.

Full technical details:
http://scary.beasts.org/security/CESA-2008-003.html 

The faulty code can be summarized:

static void
exsltCryptoRc4EncryptFunction (xmlXPathParserContextPtr ctxt, int nargs) {
...
    key = xmlXPathPopString (ctxt);
    key_len = xmlUTF8Strlen (str);

...
    padkey = xmlMallocAtomic (RC4_KEY_LENGTH);
    key_size = xmlUTF8Strsize (key, key_len);
    memcpy (padkey, key, key_size);
    memset (padkey + key_size, '\0', sizeof (padkey));
...


A statically-sized heap buffer is populated with an arbitrary-length
string from an incoming XSL function argument.

And the malicious XSL to trigger this:

xmlns:xsl="http://www.w3.org/1999/XSL/Transform" 

xmlns:str="http://exslt.org/strings" 
xmlns:crypto="http://exslt.org/crypto" 
xmlns:math="http://exslt.org/math" 

extension-element-prefixes="str crypto math">



blah




Blog post for this, and future issues (with RSS):
http://scarybeastsecurity.blogspot.com/2008/07/buffer-overflow-in-libxslt.html 
http://scarybeastsecurity.blogspot.com/ 

Cheers
Chris

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH