libxslt Use-After-Free Vulnerability in Result Value Tree Processing

A use-after-free vulnerability has been identified in libxslt, specifically when parsing XSL nodes. This issue can lead to the dereferencing of expired pointers, causing the application to crash. The vulnerability arises during the evaluation of global variables, where result value trees (RVTs) are improperly managed, allowing XPath evaluations to traverse links that should not be accessed. This flaw can be exploited by manipulating XSL key evaluations, resulting in a crash or potentially allowing the execution of arbitrary code.

Impact

Exploitation of this vulnerability causes a heap-based use-after-free error, leading to a crash. However, such vulnerabilities can often be exploited to execute arbitrary code under certain conditions.

Reproduction

The vulnerability can be reproduced by applying an XSLT stylesheet that uses the key() function with XPath axes traversal, such as preceding::, on an XML document. This can be done using the libxslt command-line tool, xsltproc, with the vulnerable XSLT and XML files as input. The AddressSanitizer (ASan) can be used to detect the use-after-free error, which occurs when the XSLT processor evaluates global variables and keys in a way that causes nodes from one RVT to be incorrectly linked to another, leading to the premature release of memory that is still in use.

Remediation

A patch for this vulnerability has been proposed and is available as a merge request on the GNOME libxslt GitLab repository. However, the merge request has not yet been integrated into the main branch.