Segmentation fault when parsing malformed XML (null pointer dereference)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
python2.3-xml (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: python2.3-xml
It seems that pyexpat library causes crash in zope when parsing malformed XML-RPC request. Since no authentication is required, this results in DOS of zope on dapper. The same request to zope on hardy does not cause a crash.
I haven't looked at the source, so there is also a chance, that the real cause is invalid usage of the library.
XML from request:
<?xml version=
Xml from request (base64):
PD94bWwgdmVyc2l
dGhvZE5hbWU+
L21ldGhvZENhbGw
Crash occurs, when null pointer is handed over to python code:
(gdb) bt
#0 0x08077718 in PyDict_GetItem ()
#1 0xb7a2a4e0 in initpyexpat ()
from /usr/lib/
#2 0xb7a38a51 in XML_ParserReset ()
from /usr/lib/
#3 0xb7a3addf in XML_ParserReset ()
from /usr/lib/
#4 0xb7a35646 in XML_ParserReset ()
from /usr/lib/
#5 0xb7a3b55a in XML_ParserReset ()
from /usr/lib/
#6 0xb7a2d8c9 in XML_ParseBuffer ()
from /usr/lib/
#7 0xb7a2dcb5 in XML_Parse ()
from /usr/lib/
#8 0xb7a285bf in initpyexpat ()
from /usr/lib/
(gdb) info registers
eax 0x8109c60 135306336
ecx 0x1 1
edx 0xb5ac4e2c -1246998996
ebx 0x0 0
esp 0xb3e1bf10 0xb3e1bf10
ebp 0xb3e1bf28 0xb3e1bf28
esi 0xb5b2602c -1246601172
edi 0x0 0
eip 0x8077718 0x8077718 <PyDict_GetItem+24>
eflags 0x200246 2097734
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
0x08077700 <PyDict_GetItem+0>: push %ebp
0x08077701 <PyDict_GetItem+1>: mov %esp,%ebp
0x08077703 <PyDict_GetItem+3>: push %esi
0x08077704 <PyDict_GetItem+4>: push %ebx
0x08077705 <PyDict_GetItem+5>: sub $0x10,%esp
0x08077708 <PyDict_GetItem+8>: mov 0x8(%ebp),%esi
0x0807770b <PyDict_
0x0807770e <PyDict_
0x08077711 <PyDict_
0x08077716 <PyDict_
0x08077718 <PyDict_
ii python2.3-xml 0.8.4-1ubuntu4 XML tools for Python (2.3.x)
Description: Ubuntu 6.06.2 LTS
Release: 6.06
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https:/ /wiki.ubuntu. com/SecurityTea m/UpdateProcedu res