XML::LibXML Out-of-Bounds Heap Read Vulnerability in UTF-8 Parsing

A vulnerability in XML::LibXML versions through 2.0210 for Perl allows for out-of-bounds heap memory reads. This occurs when the parser processes XML node names with truncated UTF-8 byte sequences, leading to potential memory safety issues. The flaw can be exploited by any Perl process that sends attacker-controlled strings to XML::LibXML's DOM node-name methods, using the default API. The vulnerability likely causes a process crash, resulting in a denial-of-service condition.

Impact

Exploitation of this vulnerability can lead to a process crash, causing a denial-of-service condition. Additionally, on certain heap layouts, it could allow reading of sensitive data from adjacent memory allocations, although this data is only used for character classification and not returned to the caller.

Reproduction

The vulnerability can be reproduced by using XML::LibXML's DOM methods that handle node names, such as createElement or createAttribute. Supply a node name that includes a truncated UTF-8 sequence, such as a valid ASCII character followed by an incomplete multi-byte UTF-8 byte sequence. This will trigger the out-of-bounds read as the parser attempts to process the malformed UTF-8 data.

Remediation

Users can update to the patched version of XML::LibXML that validates UTF-8 continuation bytes before parsing. The specific commit addressing this vulnerability is available on the XML::LibXML GitHub repository.