Ubuntu
python2.3-xml package

Segmentation fault when parsing malformed XML (null pointer dereference)

Bug #611731 reported by Roman Fiedler on 2010-07-30

260

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	python2.3-xml (Ubuntu)	Confirmed	Undecided	Unassigned

Bug Description

Binary package hint: python2.3-xml

It seems that pyexpat library causes crash in zope when parsing malformed XML-RPC request. Since no authentication is required, this results in DOS of zope on dapper. The same request to zope on hardy does not cause a crash.

I haven't looked at the source, so there is also a chance, that the real cause is invalid usage of the library.

XML from request:
<?xml version="1.0"?><methodCall><methodName>/xdsfads</methodName><params><param><vaìue></value></param></params></methodCall>

Xml from request (base64):
PD94bWwgdmVyc2lvbj0iMS4wIj8+PG1ldGhvZENhbGw+PG1ldGhvZE5hbWU+L3hkc2ZhZHM8L21l
dGhvZE5hbWU+PHBhcmFtcz48cGFyYW0+PHZh7HVlPjwvdmFsdWU+PC9wYXJhbT48L3BhcmFtcz48
L21ldGhvZENhbGw+DQogICAgICAgICAgICAgICAgICAgICAgICAgIA0K

Crash occurs, when null pointer is handed over to python code:

(gdb) bt
#0 0x08077718 in PyDict_GetItem ()
#1 0xb7a2a4e0 in initpyexpat ()
   from /usr/lib/python2.3/site-packages/_xmlplus/parsers/pyexpat.so
#2 0xb7a38a51 in XML_ParserReset ()
   from /usr/lib/python2.3/site-packages/_xmlplus/parsers/pyexpat.so
#3 0xb7a3addf in XML_ParserReset ()
   from /usr/lib/python2.3/site-packages/_xmlplus/parsers/pyexpat.so
#4 0xb7a35646 in XML_ParserReset ()
   from /usr/lib/python2.3/site-packages/_xmlplus/parsers/pyexpat.so
#5 0xb7a3b55a in XML_ParserReset ()
   from /usr/lib/python2.3/site-packages/_xmlplus/parsers/pyexpat.so
#6 0xb7a2d8c9 in XML_ParseBuffer ()
   from /usr/lib/python2.3/site-packages/_xmlplus/parsers/pyexpat.so
#7 0xb7a2dcb5 in XML_Parse ()
   from /usr/lib/python2.3/site-packages/_xmlplus/parsers/pyexpat.so
#8 0xb7a285bf in initpyexpat ()
   from /usr/lib/python2.3/site-packages/_xmlplus/parsers/pyexpat.so

(gdb) info registers
eax 0x8109c60 135306336
ecx 0x1 1
edx 0xb5ac4e2c -1246998996
ebx 0x0 0
esp 0xb3e1bf10 0xb3e1bf10
ebp 0xb3e1bf28 0xb3e1bf28
esi 0xb5b2602c -1246601172
edi 0x0 0
eip 0x8077718 0x8077718 <PyDict_GetItem+24>
eflags 0x200246 2097734
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51

0x08077700 <PyDict_GetItem+0>: push %ebp
0x08077701 <PyDict_GetItem+1>: mov %esp,%ebp
0x08077703 <PyDict_GetItem+3>: push %esi
0x08077704 <PyDict_GetItem+4>: push %ebx
0x08077705 <PyDict_GetItem+5>: sub $0x10,%esp
0x08077708 <PyDict_GetItem+8>: mov 0x8(%ebp),%esi
0x0807770b <PyDict_GetItem+11>: mov 0xc(%ebp),%ebx -- get call arg to ebx
0x0807770e <PyDict_GetItem+14>: mov 0x4(%esi),%eax
0x08077711 <PyDict_GetItem+17>: cmp $0x8109c60,%eax
0x08077716 <PyDict_GetItem+22>: jne 0x8077752 <PyDict_GetItem+82>
0x08077718 <PyDict_GetItem+24>: cmpl $0x810ab00,0x4(%ebx) -- use ebx, crash

ii python2.3-xml 0.8.4-1ubuntu4 XML tools for Python (2.3.x)

Description: Ubuntu 6.06.2 LTS
Release: 6.06

CVE References

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2010-10-02:

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

visibility:	private → public
Changed in python2.3-xml (Ubuntu):
status:	New → Confirmed

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntupython2.3-xml package