CVE-2017-9047
libxml2: Buffer overflow in function xmlSnprintfElementContent
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
A buffer overflow was discovered in libxml2 20904-GITv2.9.4-16-g0741801. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. The variable len is assigned strlen(buf). If the content->type is XML_ELEMENT_CONTENT_ELEMENT, then (i) the content->prefix is appended to buf (if it actually fits) whereupon (ii) content->name is written to the buffer. However, the check for whether the content->name actually fits also uses 'len' rather than the updated buffer length strlen(buf). This allows us to write about "size" many bytes beyond the allocated memory. This vulnerability causes programs that use libxml2, such as PHP, to crash.
Se detectó un desbordamiento de búfer en libxml2 versión 20904-GITv2.9.4-16-g0741801. La función xmlSnprintfElementContent en el archivo valid.c debe volcar recursivamente la definición del contenido del elemento en un búfer de caracteres 'buf' de tamaño "size". La variable len es asignada strlen (buf). Si el content-)type es XML_ELEMENT_CONTENT_ELEMENT, entonces (i) content-)prefix se agrega a buf (si realmente encaja) con lo cual (ii) content-)name se escribe en el búfer. Sin embargo, la comprobación de si el content-)name realmente se ajusta también usa 'len' en lugar de la longitud de búfer actualizada (buf). Esto nos permite escribir sobre "size" muchos bytes más allá de la memoria asignada. Esta vulnerabilidad causa que los programas que usan libxml2, como PHP, se bloqueen.
It was discovered that a type confusion error existed in libxml2. An attacker could use this to specially construct XML data that could cause a denial of service or possibly execute arbitrary code. It was discovered that libxml2 did not properly validate parsed entity references. An attacker could use this to specially construct XML data that could expose sensitive information. Various other issues were also addressed.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-05-18 CVE Reserved
- 2017-05-18 CVE Published
- 2024-08-05 CVE Updated
- 2024-08-05 First Exploit
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
- CWE-122: Heap-based Buffer Overflow
CAPEC
References (8)
| URL | Date | SRC |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2017/05/15/1 | 2024-08-05 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://www.debian.org/security/2017/dsa-3952 | 2023-11-07 | |
| https://security.gentoo.org/glsa/201711-01 | 2023-11-07 | |
| https://access.redhat.com/security/cve/CVE-2017-9047 | 2018-08-16 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1452554 | 2018-08-16 |