php

memory content leak when using xmlTextWriterWriteAttribute with malformed utf-8

Bug #655442 reported by Kees Cook
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libxml2
Invalid
Medium
php
Unknown
Unknown
libxml2 (Ubuntu)
Invalid
Low
Unassigned

Bug Description

Binary package hint: php5

It seems that PHP is not correctly using libxml2's xmlwriter routines, and allows passing in invalid utf-8 strings which are then misparsed by libxml2, allowing memory contents to leak into the resulting output.

Actual output:
PHP Warning: XMLWriter::writeAttribute(): string is not in UTF-8 in /tmp/xmlwriter.php on line 12
<input value="&#x40;&#xB1;�ˋ[����ĹJ���R���Q"/>

Expected output:
<input value="&#xe0;&#e81"/>

Revision history for this message
Kees Cook (kees) wrote :
security vulnerability: no → yes
Changed in php5 (Ubuntu):
status: New → Confirmed
importance: Undecided → Low
summary: - memory leak when using invalid utf-8 with XMLWriter::writeAttribute
+ memory content leak when using invalid utf-8 with
+ XMLWriter::writeAttribute
Revision history for this message
Kees Cook (kees) wrote : Re: memory content leak when using invalid utf-8 with XMLWriter::writeAttribute

Appears broken all the way back through Hardy. Dapper behaves correctly.

Revision history for this message
Kees Cook (kees) wrote :

I've also reported this to libxml2, in case it should be fixed there instead.
https://bugzilla.gnome.org/show_bug.cgi?id=631551

Kees Cook (kees)
affects: php5 (Ubuntu) → libxml2 (Ubuntu)
Revision history for this message
Kees Cook (kees) wrote :
summary: - memory content leak when using invalid utf-8 with
- XMLWriter::writeAttribute
+ memory content leak when using xmlTextWriterWriteAttribute with
+ malformed utf-8
Changed in libxml2:
importance: Unknown → Medium
status: Unknown → New
Changed in libxml2:
status: New → Invalid
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Upstream claims this is not a bug in libxml2.

Changed in libxml2 (Ubuntu):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.