DoS in libxml2 if lzma is enabled [CVE-2018-14567]
Dear all,
the following DoS was found by a modified version of the kAFL fuzzer (https://github.com/RUB-SysSec/kAFL).
I have attached the .libs
directory (libs.zip) and the dos_file
.
To reproduce the issue compile libxml2
with liblzma
and open the dos_file
:
$ git clone git://git.gnome.org/libxml2 && cd libxml2/
$ ./autogen.sh
$ make
$ LD_LIBRARY_PATH=.libs/ ldd .libs/xmllint
[...]
liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007faba9dd0000)
$ LD_LIBRARY_PATH=.libs/ .libs/xmllint dos_file
We can verify the issue against commit 35e83488.
Credits: Simon Wörner, Sergej Schumilo, Cornelius Aschermann (all of Ruhr-Universität Bochum)
Edited by Ghost User