libxslt Heap Use-After-Free Vulnerability Due to atype Corruption

A heap use-after-free vulnerability has been identified in libxslt, caused by unsafe manipulation of the atype field in attribute nodes. This flaw arises when the xsltSetSourceNodeFlags() function adds extra flag bits to the atype field of xmlAttrPtr, which libxml2 later uses to determine if an attribute is an XML ID. The corruption prevents proper cleanup of ID attributes during memory deallocation, leading to dangling pointers. Exploitation is possible through crafted XSLT that uses the key() function, resulting in memory access violations that can cause crashes or heap corruption.

Impact

Exploitation of this vulnerability causes a heap use-after-free condition, where the program accesses memory that has already been freed. This can lead to memory corruption, allowing attackers to manipulate the program's memory in ways that could cause it to crash or potentially execute arbitrary code.

Reproduction

The vulnerability can be reproduced by applying an XSLT stylesheet that uses the key() function to an XML document. The key() function should be configured to match an attribute that is treated as an XML ID. When the XSLT processor processes the document, the atype field of the ID attribute is corrupted, creating a use-after-free condition when the result tree fragment is destroyed.

Remediation

Users can apply the patch provided by Apple's fork of libxml2, which addresses the atype corruption without breaking ABI compatibility. This patched version of libxml2 can be used in conjunction with the fixed version of libxslt to eliminate the vulnerability.