Debian Bug report logs - #496125
libxml2: security fix does double free / segfaults (breaks Gnome apps)

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Christian Jaeger <christian@jaeger.mine.nu>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libxml2: security fix does double free / segfaults (breaks Gnome apps)

Date: Fri, 22 Aug 2008 22:05:12 +0200

Package: libxml2
Version: 2.6.32.dfsg-2+lenny
Severity: grave
Justification: renders package unusable


See the thread "Lenny users: attn about Gnome/libxml2 breakage" on the
debian-user mailing list (at the time of writing this bug report, the
archive didn't index those mails yet so I can't give an url).

Here is the text:

    Today I did the usual dist-upgrade for my "testing" install, and
    it left me with a badly broken (from user's perspective)
    installation, because basically all Gnome applications stopped
    working. After a bit over 2 hours worth of investigation, I've
    found out how to solve the issue; since I first looked here and
    didn't find anything gnome related, I'm sending this to the list
    for the casual other victim.

    Symptom: Gnome apps just hang, without outputting anything to
    stdout/stderr (or .xsession-errors if started through the menu).

    Problem: the apps segfault inside libxml2, and thereafter enter a
    deadlocked state in a mutex (or in a select call); the former is
    apparently a bug in libxml2, the latter seems to be the Gnome
    functionality to pop up a windows which seems to have an issue on
    it's own (so it's really two bugs happening here, obscuring the
    investigation a bit.)

    Solution: install libxml2 from unstable; this is actually a
    downgrade (from libxml2 2.6.32.dfsg-2+lenny to
    2.6.32.dfsg-2). I.e. "apt-get install -t unstable
    libxml2/unstable", but you need to have the unstable sources in
    apt.sources and use apt pinning (I won't explain that here, check
    other sources).

to which I added:

    I realize that the suggestion I wrote about undoes a security
    fix. So, don't do what I said, do something different (what about
    going outside and enjoying a walk?). Well ok, the issue said to be
    fixed is only a DoS (of course ironically it introduces another
    DoS ;) .

    Thanks in advance to the security team for fixing the fixes.

The segfaults happen in libxml2 for both applications (Galeon and
gnome-appearance-properties) which I ran under GDB:

#0  0x00007f6038aa95c8 in _int_free (av=0x7f6038d829e0, mem=0xc9ad10) at malloc.c:4663
#1  0x00007f6038aa9a76 in *__GI___libc_free (mem=0xc9ad10) at malloc.c:3626
#2  0x00007f603c54f065 in xmlParseEntityDecl__internal_alias (ctxt=0xcb1700) at parser.c:4809
#3  0x00007f603c54f7e6 in xmlParseMarkupDecl__internal_alias (ctxt=0x7f6038d829e0) at parser.c:5947
#4  0x00007f603c54f87e in xmlParseInternalSubset (ctxt=0xcb1700) at parser.c:7310
#5  0x00007f603c550626 in xmlParseChunk__internal_alias (ctxt=0xcb1700, 
    chunk=<value optimized out>, size=<value optimized out>, terminate=0) at parser.c:10782
#6  0x00007f602bac4cd0 in ?? () from /usr/lib/librsvg-2.so.2
#7  0x00007f602bcf0d7c in ?? () from /usr/lib/gtk-2.0/2.10.0/loaders/svg_loader.so
#8  0x00007f603a5d4c99 in IA__gdk_pixbuf_loader_write (loader=0xb28ea0, 
    buf=0xc94180 "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<!-- Generator: Adobe Illustrator 10.0.3, SVG Export Plug-In . SVG Version: 3.0.0 Build 77)  -->\n<!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.0//EN\"    \"http://www.w3"..., count=4082, error=0xcc8528)
    at /scratch/build-area/gtk+2.0-2.12.11/gdk-pixbuf/gdk-pixbuf-loader.c:475
#9  0x00007f603ab9c530 in icon_info_ensure_scale_and_pixbuf (icon_info=0xcc84f0, 
    scale_only=<value optimized out>)
    at /scratch/build-area/gtk+2.0-2.12.11/gtk/gtkicontheme.c:2743
...
(you can see the rest of the backtraces in my mailing list email)

Here I'll also post the top of a "bt full", which indicates that glibc
complains about a double free:

#0  0x00007f4c4ab725c8 in _int_free (av=0x7f4c4ae4b9e0, mem=0xc9b570) at malloc.c:4663
        p = (mchunkptr) 0xc9b560
        size = 320
        nextchunk = (mchunkptr) 0xc9b6a0
        nextsize = 144
        prevsize = <value optimized out>
        bck = (mchunkptr) 0x11
        fwd = (mchunkptr) 0x0
        errstr = 0x7f4c4ac1a8d8 "double free or corruption (!prev)"
#1  0x00007f4c4ab72a76 in *__GI___libc_free (mem=0xc9b570) at malloc.c:3626
        ar_ptr = (mstate) 0x7f4c4ae4b9e0
        p = (mchunkptr) 0x1
        hook = <value optimized out>
#2  0x00007f4c4e618065 in xmlParseEntityDecl__internal_alias (ctxt=0xc9a450) at parser.c:4809
        name = (const xmlChar *) 0xc9b053 "ns_flows"
        value = (xmlChar *) 0xc9b570 "http://ns.adobe.com/Flows/1.0/"
        URI = <value optimized out>
        literal = (xmlChar *) 0x0
        ndata = <value optimized out>
        isParameter = 0
        orig = (xmlChar *) 0xc9b500 "http://ns.adobe.com/Flows/1.0/"
        skipped = <value optimized out>
        oldnbent = 0
#3  0x00007f4c4e6187e6 in xmlParseMarkupDecl__internal_alias (ctxt=0x7f4c4ae4b9e0) at parser.c:5947
#4  0x00007f4c4e61887e in xmlParseInternalSubset (ctxt=0xc9a450) at parser.c:7310
No locals.
No locals.
#5  0x00007f4c4e619626 in xmlParseChunk__internal_alias (ctxt=0xc9a450, 
    chunk=<value optimized out>, size=<value optimized out>, terminate=0) at parser.c:10782
        end_in_lf = 0
#6  0x00007f4c3db8dcd0 in ?? () from /usr/lib/librsvg-2.so.2
No symbol table info available.
#7  0x00007f4c3ddb9d7c in ?? () from /usr/lib/gtk-2.0/2.10.0/loaders/svg_loader.so
No symbol table info available.
....


(BTW there seem to be no debugging symbols available in any Debian
package for librsvg-2. (Is this a bug of the librsvg-2 package?))

Christian.


-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (900, 'testing'), (800, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libxml2 depends on:
ii  libc6                  2.7-13            GNU C Library: Shared libraries
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

Versions of packages libxml2 recommends:
ii  xml-core                      0.11       XML infrastructure and XML catalog

libxml2 suggests no packages.

-- no debconf information

Message #10 received at 496125@bugs.debian.org (full text, mbox, reply):

From: Christian Jaeger <christian@jaeger.mine.nu>

To: 496125@bugs.debian.org

Subject: Link to the mail thread

Date: Sat, 23 Aug 2008 09:34:19 +0200

> (at the time of writing this bug report, the
> archive didn't index those mails yet so I can't give an url)

Wrong, I was just too stupid to realize that the thread view of the 
archives have a "next" page link (and that the date of last update is 
only referring to the current page).

See:
http://lists.debian.org/debian-user/2008/08/thrd4.html#01793

> top of a "bt full", which indicates that glibc complains about a 
> double free

Well, or maybe rather a memory corruption, since glibc seemingly *tried* 
to emit a "double free or corruption (!prev)" message, which probably 
would have succeeded if there wasn't a segfault while trying to do that 
(meaning that something more severe is going wrong; I think glibc tries 
to get a backtrace and memory map in such a case, which may be the point 
where it fails; otoh, gdb didn't have problems showing the backtrace).

Christian.

Message #15 received at 496125@bugs.debian.org (full text, mbox, reply):

From: Mike Hommey <mh@glandium.org>

To: Christian Jaeger <christian@jaeger.mine.nu>, 496125@bugs.debian.org

Subject: Re: [xml/sgml-pkgs] Bug#496125: libxml2: security fix does double free / segfaults (breaks Gnome apps)

Date: Sat, 23 Aug 2008 09:38:53 +0200

On Fri, Aug 22, 2008 at 10:05:12PM +0200, Christian Jaeger wrote:
> The segfaults happen in libxml2 for both applications (Galeon and
> gnome-appearance-properties) which I ran under GDB:
> 
> #0  0x00007f6038aa95c8 in _int_free (av=0x7f6038d829e0, mem=0xc9ad10) at malloc.c:4663
> #1  0x00007f6038aa9a76 in *__GI___libc_free (mem=0xc9ad10) at malloc.c:3626
> #2  0x00007f603c54f065 in xmlParseEntityDecl__internal_alias (ctxt=0xcb1700) at parser.c:4809
> #3  0x00007f603c54f7e6 in xmlParseMarkupDecl__internal_alias (ctxt=0x7f6038d829e0) at parser.c:5947
> #4  0x00007f603c54f87e in xmlParseInternalSubset (ctxt=0xcb1700) at parser.c:7310
> #5  0x00007f603c550626 in xmlParseChunk__internal_alias (ctxt=0xcb1700, 
>     chunk=<value optimized out>, size=<value optimized out>, terminate=0) at parser.c:10782
> #6  0x00007f602bac4cd0 in ?? () from /usr/lib/librsvg-2.so.2
> #7  0x00007f602bcf0d7c in ?? () from /usr/lib/gtk-2.0/2.10.0/loaders/svg_loader.so
> #8  0x00007f603a5d4c99 in IA__gdk_pixbuf_loader_write (loader=0xb28ea0, 
>     buf=0xc94180 "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<!-- Generator: Adobe Illustrator 10.0.3, SVG Export Plug-In . SVG Version: 3.0.0 Build 77)  -->\n<!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.0//EN\"    \"http://www.w3"..., count=4082, error=0xcc8528)
>     at /scratch/build-area/gtk+2.0-2.12.11/gdk-pixbuf/gdk-pixbuf-loader.c:475
> #9  0x00007f603ab9c530 in icon_info_ensure_scale_and_pixbuf (icon_info=0xcc84f0, 
>     scale_only=<value optimized out>)
>     at /scratch/build-area/gtk+2.0-2.12.11/gtk/gtkicontheme.c:2743
> ...
> (you can see the rest of the backtraces in my mailing list email)

Seeing the backtrace, I'd say the same problem should probably be happening
with the stable updates, too.

Could you check what svg file is being opened here[1] ?, and check what
xmllint has to say about it ? (theorically, it should segfault too)

Thanks

Mike

1. You can check /proc/$(pidof galeon)/fd when running galeon under gdb
and the segfault has occurred.

Message #24 received at 496125@bugs.debian.org (full text, mbox, reply):

From: Christian Jaeger <christian@jaeger.mine.nu>

To: Mike Hommey <mh@glandium.org>

Cc: 496125@bugs.debian.org

Subject: Re: [xml/sgml-pkgs] Bug#496125: libxml2: security fix does double free / segfaults (breaks Gnome apps)

Date: Sat, 23 Aug 2008 20:28:19 +0200

Mike Hommey wrote:
> Could you check what svg file is being opened here[1] ?, and check what
> xmllint has to say about it ? (theorically, it should segfault too)
>   

Hm, I'm still seeing segfaults, now when *quitting* Galeon (but only in 
~10% of cases).

I would be glad for a way to run an application under gdb so that when 
it segfaults a "bt full" is spit automatically to a file I give, i.e. 
some "with-gdb-backtrace-to $file $app $arguments". Can't get that to 
run right now, and copy pasting from the console is tedious and I'm not 
sure it's even broken in some cases (by that builtin pager that I cannot 
seem to get switched off).

Christian.

(tired. Maybe I'll continue to look into the problems soon)

Message #29 received at 496125@bugs.debian.org (full text, mbox, reply):

From: Christian Jaeger <christian@jaeger.mine.nu>

To: Mike Hommey <mh@glandium.org>

Cc: 496125@bugs.debian.org

Subject: Re: [xml/sgml-pkgs] Bug#496125: libxml2: security fix does double free / segfaults (breaks Gnome apps)

Date: Sat, 23 Aug 2008 22:49:22 +0200

[Message part 1 (text/plain, inline)]

Christian Jaeger wrote:
> Mike Hommey wrote:
>> Could you check what svg file is being opened here[1] ?, and check what
>> xmllint has to say about it ? (theorically, it should segfault too)
>
> Hm, I'm still seeing segfaults, now when *quitting* Galeon (but only 
> in ~10% of cases).
>
> I would be glad for a way to run an application under gdb so that when 
> it segfaults a "bt full" is spit automatically to a file I give, i.e. 
> some "with-gdb-backtrace-to $file $app $arguments". Can't get that to 
> run right now, and copy pasting from the console is tedious and I'm 
> not sure it's even broken in some cases (by that builtin pager that I 
> cannot seem to get switched off).

Ok, got such a script to work now (I've put it up at 
http://christian.jaeger.mine.nu/scratch/gdb/with-gdb-backtrace-to). But 
interestingly the problem I'm seeing when quitting Galeon do not happen 
when run under gdb from the start. D'oh.

So when I start Galeon (/usr/bin/galeon fewfwef) (since the segfault on 
quit only happens when I first open an url), then attach with gdb and 
then quit it:

$ gdb /usr/bin/galeon $galeonpid
..
(gdb) cont
Continuing.
# now I quit galeon from Galeon's menu
[Thread 0x41838950 (LWP 15524) exited]
[Thread 0x40b4e950 (LWP 15525) exited]
[Thread 0x42294950 (LWP 15520) exited]
[Thread 0x43a97950 (LWP 15529) exited]
[Thread 0x43296950 (LWP 15528) exited]
[Thread 0x44298950 (LWP 15530) exited]
[Thread 0x42a95950 (LWP 15523) exited]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f0ea72fa780 (LWP 15517)]
0x00007f0ea2e12a67 in malloc_consolidate () from /lib/libc.so.6
# backtrace see attachment (although from a different run, thus adresses will not be the same)
(gdb) cont
Continuing.
^C^C^C^C
# I can't get gdb to stop Galeon anymore, I have to kill -9 $galeonpid. Strange.



strace -p $galeonpid shows

futex(0x7fa43612f9e0, FUTEX_WAIT_PRIVATE, 2, NULL

Running "strace /usr/bin/galeon" will get strace killed by glibc because of:

...
[pid 15677] read(32, "\375\375\375\377QQQ\371\t\t\t\317\0\0\0\27\0\0\0\4\0\0\0\10\0\0\0003\0\0\0005\0"..., 4096) = 4096
[pid 15677] lseek(32, 73728, SEEK_SET)  = 73728
[pid 15677] close(32)                   = 0
[pid 15677] munmap(0x7f7933a12000, 4096) = 0
*** glibc detected *** strace: malloc(): memory corruption (fast): 0x00000000006567d0 ***
======= Backtrace: =========
/lib/libc.so.6[0x7fc387300968]
/lib/libc.so.6[0x7fc38730369f]
/lib/libc.so.6(__libc_malloc+0x98)[0x7fc387304a98]
strace[0x408380]
strace[0x4058de]
strace[0x404616]
/lib/libc.so.6(__libc_start_main+0xe6)[0x7fc3872ab1a6]
strace[0x401f69]
======= Memory map: ========
00400000-00447000 r-xp 00000000 fe:06 120651                             /usr/bin/strace
00647000-00648000 rw-p 00047000 fe:06 120651                             /usr/bin/strace
00648000-00677000 rw-p 00648000 00:00 0                                  [heap]
7fc380000000-7fc380021000 rw-p 7fc380000000 00:00 0 
7fc380021000-7fc384000000 ---p 7fc380021000 00:00 0 
7fc387076000-7fc38708c000 r-xp 00000000 fe:06 222679                     /lib/libgcc_s.so.1
7fc38708c000-7fc38728c000 ---p 00016000 fe:06 222679                     /lib/libgcc_s.so.1
7fc38728c000-7fc38728d000 rw-p 00016000 fe:06 222679                     /lib/libgcc_s.so.1
7fc38728d000-7fc3873d7000 r-xp 00000000 fe:06 29913                      /lib/libc-2.7.so
7fc3873d7000-7fc3875d6000 ---p 0014a000 fe:06 29913                      /lib/libc-2.7.so
7fc3875d6000-7fc3875d9000 r--p 00149000 fe:06 29913                      /lib/libc-2.7.so
7fc3875d9000-7fc3875db000 rw-p 0014c000 fe:06 29913                      /lib/libc-2.7.so
7fc3875db000-7fc3875e0000 rw-p 7fc3875db000 00:00 0 
7fc3875e0000-7fc3875fc000 r-xp 00000000 fe:06 29929                      /lib/ld-2.7.so
7fc3877da000-7fc3877dc000 rw-p 7fc3877da000 00:00 0 
7fc3877f8000-7fc3877fb000 rw-p 7fc3877f8000 00:00 0 
7fc3877fb000-7fc3877fd000 rw-p 0001b000 fe:06 29929                      /lib/ld-2.7.so
7fff8f7e8000-7fff8f7fd000 rw-p 7ffffffea000 00:00 0                      [stack]
7fff8f7ff000-7fff8f800000 r-xp 7fff8f7ff000 00:00 0                      [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
[pid 15677] select(Aborted


Well, I seem to be fighting with about the 4th bug right now while 
looking into the "gnome breakage from yesterday" problem. Strange, could 
this all be related, i.e. some upgrade to glibc (introducing some malloc 
breakage) breaking everyhing else?

I'm attaching the backtrace as file "galeon-backtrace-on-quit.txt".

This mail has all been with the older libxml2, 2.6.32.dfsg-2. I'll write 
another mail when I get to install 2.6.32.dfsg-2+lenny again. Any news 
on your front?

Christian.

[galeon-backtrace-on-quit.txt (text/plain, inline)]

#0  0x00007f387cceba67 in malloc_consolidate () from /lib/libc.so.6
No symbol table info available.
#1  0x00007f387ccee2e6 in _int_malloc () from /lib/libc.so.6
No symbol table info available.
#2  0x00007f387ccefa98 in malloc () from /lib/libc.so.6
No symbol table info available.
#3  0x00007f3874b6adb9 in PL_DHashTableInit (table=0x7fff8930f288, ops=0x7f387cfc69f8, data=<value optimized out>, entrySize=<value optimized out>, capacity=10313776) at pldhash.c:243
	log2 = 15818384
	nbytes = 524288
#4  0x00007f3874ba370f in GCGraphBuilder (this=0x7fff8930f250, aGraph=<value optimized out>, aRuntimes=<value optimized out>) at nsCycleCollector.cpp:1269
No locals.
#5  0x00007f3874ba3d5e in nsCycleCollector::BeginCollection (this=0x7f38811b2010) at nsCycleCollector.cpp:2310
	builder = {<nsCycleCollectionTraversalCallback> = {_vptr.nsCycleCollectionTraversalCallback = 0x7f38752b6290}, mNodeBuilder = {mNextBlock = 0x7f38811b2080, mNext = @0x7f38811b2088, mBlockEnd = 0x0}, mEdgeBuilder = {mCurrent = 0x7f38811b2090, mBlockEnd = 0x7f38811b2090, mNextBlockPtr = 0x7f38811b2098}, mPtrToNodeMap = {ops = 0x7f38752e28a0, data = 0x0, hashShift = 17, maxAlphaFrac = 192 '�', minAlphaFrac = 64 '@', entrySize = 16, entryCount = 0, removedCount = 0, generation = 0, entryStore = 0x84b8c0 "\002"}, mCurrPi = 0x7fff8930f470, mRuntimes = 0x7f38811b2020}
#6  0x00007f387446d9fe in XPCCycleCollectGCCallback (cx=0x8801f0, status=JSGC_MARK_END) at nsXPConnect.cpp:440
	ok = <value optimized out>
#7  0x00007f38753339f5 in ?? () from /usr/lib/xulrunner-1.9/libmozjs.so
No symbol table info available.
#8  0x00007f387446cdf4 in nsXPConnect::Collect (this=0x87a210) at nsXPConnect.cpp:529
	cycleCollectionContext = {<nsAXPCNativeCallContext> = {_vptr.nsAXPCNativeCallContext = 0x7f387515f140}, mState = XPCCallContext::HAVE_CONTEXT, mXPC = 0x87a210, mThreadData = 0x84b6a0, mXPCContext = 0x8808f0, mJSContext = 0x8801f0, mContextPopRequired = 1, mDestroyJSContextInDestructor = 0, mCallerLanguage = XPCContext::LANG_NATIVE, mPrevCallerLanguage = XPCContext::LANG_UNKNOWN, mPrevCallContext = 0x0, mOperandJSObject = 0x2f720, mCurrentJSObject = 0x20, mFlattenedJSObject = 0x80, mWrapper = 0x7fff8930f5f8, mTearOff = 0x7f3874bf3eb0, mScriptableInfo = 0x12a13d0, mSet = 0x900000068, mInterface = 0x75706d6f00000004, mMember = 0x20, mName = 139880591813088, mStaticMemberIsLocal = 18089984, mArgc = 0, mArgv = 0x7fff89310b10, mRetVal = 0x7fff8930f5f8, mExceptionWasThrown = -2128928752, mReturnValueWasSet = 32568, mMethodIndex = 0, mCallee = 0x0, mStringWrapperData = "\005\000\000\000\000\000\000\000p�y\000\000\000\000\000\000\000\000\0008\177\000\000 s1\211�\177\000\000P�t8\177\000\000\000\000\000\000\000\000\000"}
	cx = (JSContext *) 0x8801f0
#9  0x00007f3874ba3ebe in nsCycleCollector::Collect (this=0x7f38811b2010, aTryCollections=5) at nsCycleCollector.cpp:2250
	collected = 13115424
	obs = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>}
	whiteNodes = {<nsTPtrArray<PtrInfo>> = {<nsTArray<PtrInfo*>> = {<nsTArray_base> = {static sEmptyHdr = {mLength = 0, mCapacity = 0, mIsAutoArray = 0}, mHdr = 0x7fff8930f618}, <No data fields>}, <No data fields>}, mAutoBuf = "\000\000\000\000�\017\000\200`\r�\000\000\000\000\000\001\000\000\000\000\000\000\000\000\0371\211�\177\000\000�\0361\211�\177\000\000�\026\021\001", '\0' <repeats 28 times>, "`�+\001\000\000\000\000r\000\000\000q\000\000\000\000\000\000\000\002\000\000\000?\000\000\000>\000\000\000`�+\001\000\000\000\000r\000\000\000q\000\000\000\000\000\000\000\002\000\000\000?\000\000\000>", '\0' <repeats 11 times>, "�\023*\001\000\000\000\000p\236\031\001\000\000\000\000٧at8\177\000\000 \t1\211�\177\000\000\020�+\001\000\000\000\000\000\n1\211�\177\000\000\020�+\001\000\000\000\000\000\b\024\001\000\000\000\000��at8\177\000\000x\v1"...}
	totalCollections = 0
#10 0x00007f3874ba3fec in nsCycleCollector::Shutdown (this=0x7f387cfc69e0) at nsCycleCollector.cpp:2471
No locals.
#11 0x00007f3874ba400a in nsCycleCollector_shutdown () at nsCycleCollector.cpp:2932
No locals.
#12 0x00007f3874b7328f in NS_ShutdownXPCOM_P (servMgr=0x0) at nsXPComInit.cpp:811
	rv = <value optimized out>
	moduleLoaders = {<nsCOMPtr_base> = {mRawPtr = 0x1003900}, <No data fields>}
#13 0x00007f38744663f4 in XRE_TermEmbedding () at nsEmbedFunctions.cpp:160
No locals.
#14 0x00007f3874459604 in EmbedPrivate::PopStartup () at EmbedPrivate.cpp:565
No locals.
#15 0x000000000047cdd6 in ?? ()
No symbol table info available.
#16 0x00007f387da41e98 in IA__g_object_unref (_object=<value optimized out>) at /build/buildd/glib2.0-2.16.4/gobject/gobject.c:1793
	object = (GObject *) 0x79a8c0
	__PRETTY_FUNCTION__ = "IA__g_object_unref"
#17 0x0000000000443045 in ?? ()
No symbol table info available.
#18 0x00007f387da41e98 in IA__g_object_unref (_object=<value optimized out>) at /build/buildd/glib2.0-2.16.4/gobject/gobject.c:1793
	object = (GObject *) 0x76bc30
	__PRETTY_FUNCTION__ = "IA__g_object_unref"
#19 0x00007f387da41e98 in IA__g_object_unref (_object=<value optimized out>) at /build/buildd/glib2.0-2.16.4/gobject/gobject.c:1793
	object = (GObject *) 0xc82020
	__PRETTY_FUNCTION__ = "IA__g_object_unref"
#20 0x00007f387ee1224b in IA__gtk_main_do_event (event=0x12b7c30) at /scratch/build-area/gtk+2.0-2.12.11/gtk/gtkmain.c:1556
	event_widget = (GtkWidget *) 0xc82020
	grab_widget = (GtkWidget *) 0xc82020
	window_group = (GtkWindowGroup *) 0x0
	rewritten_event = (GdkEvent *) 0x0
	tmp_list = <value optimized out>
	__PRETTY_FUNCTION__ = "IA__gtk_main_do_event"
#21 0x00007f387ea73f8c in gdk_event_dispatch (source=<value optimized out>, callback=<value optimized out>, user_data=<value optimized out>) at /scratch/build-area/gtk+2.0-2.12.11/gdk/x11/gdkevents-x11.c:2351
	display = <value optimized out>
	event = <value optimized out>
#22 0x00007f387d7aa892 in IA__g_main_context_dispatch (context=0x792540) at /build/buildd/glib2.0-2.16.4/glib/gmain.c:2012
No locals.
#23 0x00007f387d7ae01d in g_main_context_iterate (context=0x792540, block=1, dispatch=1, self=<value optimized out>) at /build/buildd/glib2.0-2.16.4/glib/gmain.c:2645
	max_priority = 2147483647
	timeout = 3510
	some_ready = 1
	nfds = 12
	allocated_nfds = <value optimized out>
	fds = (GPollFD *) 0x103bf50
	__PRETTY_FUNCTION__ = "g_main_context_iterate"
#24 0x00007f387d7ae54d in IA__g_main_loop_run (loop=0xc0d410) at /build/buildd/glib2.0-2.16.4/glib/gmain.c:2853
	self = (GThread *) 0x75ee20
	__PRETTY_FUNCTION__ = "IA__g_main_loop_run"
#25 0x00007f387f74f336 in bonobo_main () from /usr/lib/libbonobo-2.so.0
No symbol table info available.
#26 0x000000000043d7b3 in main ()
No symbol table info available.

Message #34 received at 496125@bugs.debian.org (full text, mbox, reply):

From: Christian Jaeger <christian@jaeger.mine.nu>

To: Mike Hommey <mh@glandium.org>

Cc: 496125@bugs.debian.org

Subject: Re: [xml/sgml-pkgs] Bug#496125: libxml2: security fix does double free / segfaults (breaks Gnome apps)

Date: Sat, 23 Aug 2008 23:26:41 +0200

Mike Hommey wrote:
> Could you check what svg file is being opened here[1] ?, and check what
> xmllint has to say about it ? (theorically, it should segfault too)
>   

I've now installed the lenny libxml2 again:

novo:/dev/shm/archives# dpkgli "libxml2*"
ii  libxml2                              2.6.32.dfsg-2+lenny1        GNOME XML library
ii  libxml2-utils                        2.6.32.dfsg-2+lenny1        XML utilities


and as expected galeon does again segfault upon startup as it did before I downgraded libxml2.

Your trick with the open fd's doesn't work, at the time of the segfault, no relevant fd is open anymore:

chris@novo:/tmp/chris$ l /proc/15985/{,task/*}/fd|perl -wne 's/.*2008-08-23.{6}//;print'|sort|uniq

0 -> /dev/pts/22
10 -> socket:[73309]
11 -> socket:[73312]
12 -> socket:[73314]
13 -> socket:[73317]
14 -> socket:[73321]
15 -> socket:[73318]
16 -> /home/chris/.galeon/mozilla/galeon/.parentlock
17 -> /dev/random
18 -> pipe:[73325]
19 -> pipe:[73325]
1 -> /dev/pts/22
20 -> socket:[73327]
21 -> /home/chris/.galeon/mozilla/galeon/permissions.sqlite
2 -> /dev/pts/22
3 -> socket:[73304]
4 -> pipe:[73306]
5 -> pipe:[73306]
6 -> pipe:[73307]
7 -> pipe:[73307]
8 -> pipe:[73308]
9 -> pipe:[73308]
/proc/15985//fd:
/proc/15985/task/15985/fd:
/proc/15985/task/15987/fd:
total 0

So instead I've run 

strace -fF -o _out /usr/bin/galeon fewfwef

and now

chris@novo:/tmp/chris$ grep open _out.1598* -l
_out.15985
chris@novo:/tmp/chris$ cat _out.1598* |grep open|grep -v ENOENT|less
# I'm stripping uninteresting stuff away
...
...
...
open("/usr/lib/xulrunner-1.9/defaults/pref/xulrunner.js", O_RDONLY) = 18
...
open("/usr/lib/xulrunner-1.9/components/xpcom_io.xpt", O_RDONLY) = 21
open("/usr/lib/xulrunner-1.9/components/nsBlocklistService.js", O_RDONLY) = 21
open("/usr/lib/xulrunner-1.9/modules/XPCOMUtils.jsm", O_RDONLY) = 21
open("/usr/lib/xulrunner-1.9/components/xpcom_ds.xpt", O_RDONLY) = 21
open("/usr/lib/xulrunner-1.9/components/extensions.xpt", O_RDONLY) = 21
open("/usr/lib/xulrunner-1.9/components/xpcom_components.xpt", O_RDONLY) = 21
open("/usr/lib/xulrunner-1.9/components/nsExtensionManager.js", O_RDONLY) = 21
open("/usr/lib/xulrunner-1.9/components/nsUpdateService.js", O_RDONLY) = 21
open("/usr/lib/xulrunner-1.9/components/nsTryToClose.js", O_RDONLY) = 21
open("/home/chris/.galeon/mozilla/galeon/prefs.js", O_RDONLY) = 21
open("/usr/share/galeon/default-prefs.js", O_RDONLY) = 21
open("/home/chris/.galeon/mozilla/galeon/prefs.js", O_RDONLY) = 21
open("/usr/share/themes/Wasp/gtk-2.0/gtkrc", O_RDONLY) = 21
..
open("/usr/share/themes/Default/gtk-2.0-key/gtkrc", O_RDONLY) = 21
open("/dev/urandom", O_RDONLY)          = 21
open("/home/chris/.galeon/favicon_cache.xml", O_RDONLY) = 21
open("/home/chris/.galeon/favicon_cache/CACHEDIR.TAG", O_RDWR|O_CREAT, 0660) = 21
open("/home/chris/.galeon/history2.xml", O_RDONLY) = 21
...
open("/etc/mtab", O_RDONLY)             = 22
open("/usr/share/icons/Wasp/index.theme", O_RDONLY) = 21
open("/usr/share/icons/Wasp/icon-theme.cache", O_RDONLY) = 21
open("/usr/share/icons/Wasp/icon-theme.cache", O_RDONLY) = 22
open("/usr/share/icons/gnome/index.theme", O_RDONLY) = 21
open("/usr/share/icons/gnome/8x8/emblems", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 21
open("/usr/share/icons/gnome/16x16/actions", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 21
...
#many icons like:
open("/usr/share/icons/gnome/24x24/places/folder.icon", O_RDONLY) = 22
...
...
open("/usr/share/icons/gnome/scalable/status/stock_open.icon", O_RDONLY) = 22
...
open("/home/chris/.galeon/bookmarks.xbel", O_RDONLY) = 21
..
open("/usr/lib64/gtk-2.0/2.10.0/immodule-files.d/libgtk2.0-0.immodules", O_RDONLY) = 22
open("/etc/fonts/fonts.conf", O_RDONLY) = 21
..
open("/etc/fonts/conf.d/80-delicious.conf", O_RDONLY) = 23
open("/etc/fonts/conf.d/90-synthetic.conf", O_RDONLY) = 23
..
open("/var/cache/fontconfig/945677eb7aeaf62f1d50efc3fb3ec7d8-x86-64.cache-2", O_RDONLY) = 21
open("/var/cache/fontconfig/6333f38776742d18e214673cd2c24e34-x86-64.cache-2", O_RDONLY) = 21
open("/proc/meminfo", O_RDONLY)         = 21
open("/usr/share/fonts/truetype/ttf-bitstream-vera/Vera.ttf", O_RDONLY) = 21
...
open("/usr/lib64/pango/1.6.0/module-files.d/libpango1.0-0.modules", O_RDONLY) = 22
...
open("/home/chris/.galeon/toolbars.xml", O_RDONLY) = 21
...
open("/usr/share/galeon/galeon-egg-ui.xml", O_RDONLY) = 21
...
open("/usr/share/galeon/google_images.png", O_RDONLY) = 21
open("/home/chris/.galeon/sidebars.xml", O_RDONLY) = 21
open("/usr/share/icons/gnome/16x16/actions/gtk-close.png", O_RDONLY) = 21
open("/dev/urandom", O_RDONLY)          = 21
open("/home/chris/.galeon/mozilla/galeon/permissions.sqlite", O_RDWR|O_CREAT, 0644) = 21
open("/usr/share/icons/Wasp/scalable/actions/gtk-go-back-ltr.svg", O_RDONLY) = 22
open("/usr/lib/gtk-2.0/2.10.0/loaders/svg_loader.so", O_RDONLY) = 22
open("/etc/ld.so.cache", O_RDONLY)      = 22
open("/usr/lib/librsvg-2.so.2", O_RDONLY) = 22
open("/usr/lib/libgsf-1.so.114", O_RDONLY) = 22
open("/usr/lib/libcroco-0.6.so.3", O_RDONLY) = 22
open("/lib/libbz2.so.1.0", O_RDONLY)    = 22

So it's probably the gtk-go-back-ltr.svg file, since it's the last opened one before the segfault. Just to be sure:

chris@novo:/tmp/chris$ cat _out.1598* |grep open|grep -v ENOENT|egrep -i '\.(xml|rdf|svg)'
open("/home/chris/.galeon/favicon_cache.xml", O_RDONLY) = 21
open("/home/chris/.galeon/history2.xml", O_RDONLY) = 21
open("/home/chris/.galeon/toolbars.xml", O_RDONLY) = 21
open("/usr/share/galeon/galeon-egg-ui.xml", O_RDONLY) = 21
open("/home/chris/.galeon/sidebars.xml", O_RDONLY) = 21
open("/usr/share/icons/Wasp/scalable/actions/gtk-go-back-ltr.svg", O_RDONLY) = 22

chris@novo:/tmp/chris$ cat _out.1598* |grep open|grep -v ENOENT|egrep -i '\.(xml|rdf|svg)'|perl -wne 'm/"([^"]*)"/ and print "$1\n"'|bash -c 'set -e; while read f; do xmllint "$f" > "`basename "$f"`"; done'
/usr/share/icons/Wasp/scalable/actions/gtk-go-back-ltr.svg:11: parser warning : xmlns: URI &ns_svg; is not absolute
	 xmlns="&ns_svg;" xmlns:xlink="&ns_xlink;" xmlns:a="http://ns.adobe.com/AdobeSV
	                 ^

chris@novo:/tmp/chris$ xmllint /usr/share/icons/Wasp/scalable/actions/gtk-go-back-ltr.svg > foo
/usr/share/icons/Wasp/scalable/actions/gtk-go-back-ltr.svg:11: parser warning : xmlns: URI &ns_svg; is not absolute
	 xmlns="&ns_svg;" xmlns:xlink="&ns_xlink;" xmlns:a="http://ns.adobe.com/AdobeSV
	                 ^
chris@novo:/tmp/chris$ echo $?
0


So, interestingly, no, xmllint does not segfault on this file. (Although 
it is giving a warning.)

Maybe another point hinting at a general heap corruption issue and not 
really a problem in libxml2.

Christian.

Message #39 received at 496125@bugs.debian.org (full text, mbox, reply):

From: Walter <we3@federatedrobotics.com>

To: 496125@bugs.debian.org

Subject: Re: [xml/sgml-pkgs] Bug#496125: libxml2: security fix does double free / segfaults (breaks Gnome apps)

Date: Sat, 23 Aug 2008 23:38:09 -0500

I'm running etch and it seems like it is being affected by this bug
also. Just after updating libxml2 to 2.6.27.dfsg-3 I was unable to open
any files with eog, nor eog alone. No error messages when run from the
command line, no pop ups. Upon rebooting gdm started but when starting
gnome, it would hang for a little while at starting the window manager,
and then stop with the top and bottom panels drawn with nothing in them,
no menus, icons, or applets, just blank panels. No response from the
panels.

Downgrading from 2.6.27.dfsg-3 back to 2.6.27.dfsg-2 fixed the problem.

Message #44 received at 496125@bugs.debian.org (full text, mbox, reply):

From: Christian Jaeger <christian@jaeger.mine.nu>

To: 496125@bugs.debian.org

Cc: Walter <we3@federatedrobotics.com>, Mike Hommey <mh@glandium.org>

Subject: libxml2 Gnome problem on 64bit only?

Date: Sun, 24 Aug 2008 08:52:25 +0200

My first guess was a recently introduced breakage/incompatibility in 
glibc or similar library, but that sounds implausible as the bug also 
manifests itself in etch (which other packages than libxml2 have changed 
with the recent update in etch? none of the dependencies of Gnome apps, 
right?).

My second guess would be a multithreading issue. So I've checked here 
with one of the cores of the Core 2 duo disabled (and also with 
frequency scaling set to fixed 2.5 Ghz as well as 800Mhz), but that 
brought no change. (That doesn't preclude a multithreading issue; just 
that people with a single-core CPU should generally be able to see the 
problem too.)

I wonder if only people on 64bit machines are seeing the problem? Maybe 
everyone contributing to the bug report could mention which kind of CPU 
they are testing on and whether they can reproduce the issue or not.

Christian.

Message #49 received at 496125@bugs.debian.org (full text, mbox, reply):

From: Mike Hommey <mh@glandium.org>

To: Christian Jaeger <christian@jaeger.mine.nu>

Cc: 496125@bugs.debian.org

Subject: Re: [xml/sgml-pkgs] Bug#496125: libxml2: security fix does double free / segfaults (breaks Gnome apps)

Date: Sun, 24 Aug 2008 09:00:14 +0200

On Sat, Aug 23, 2008 at 11:26:41PM +0200, Christian Jaeger wrote:
> open("/usr/share/icons/Wasp/scalable/actions/gtk-go-back-ltr.svg", O_RDONLY) = 22
>
> chris@novo:/tmp/chris$ cat _out.1598* |grep open|grep -v ENOENT|egrep -i '\.(xml|rdf|svg)'|perl -wne 'm/"([^"]*)"/ and print "$1\n"'|bash -c 'set -e; while read f; do xmllint "$f" > "`basename "$f"`"; done'
> /usr/share/icons/Wasp/scalable/actions/gtk-go-back-ltr.svg:11: parser warning : xmlns: URI &ns_svg; is not absolute
> 	 xmlns="&ns_svg;" xmlns:xlink="&ns_xlink;" xmlns:a="http://ns.adobe.com/AdobeSV
> 	                 ^
>
> chris@novo:/tmp/chris$ xmllint /usr/share/icons/Wasp/scalable/actions/gtk-go-back-ltr.svg > foo
> /usr/share/icons/Wasp/scalable/actions/gtk-go-back-ltr.svg:11: parser warning : xmlns: URI &ns_svg; is not absolute
> 	 xmlns="&ns_svg;" xmlns:xlink="&ns_xlink;" xmlns:a="http://ns.adobe.com/AdobeSV
> 	                 ^
> chris@novo:/tmp/chris$ echo $?
> 0

Now, try changing your gnome theme and re-run galeon ; if i'm correct,
it shouldn't crash. Can you tell me what package this svg file belongs
to ?

Mike

PS: You galeon crash with the unstable version is unrelated.

Message #54 received at 496125@bugs.debian.org (full text, mbox, reply):

From: Christian Jaeger <christian@jaeger.mine.nu>

To: Mike Hommey <mh@glandium.org>

Cc: 496125@bugs.debian.org

Subject: Re: [xml/sgml-pkgs] Bug#496125: libxml2: security fix does double free / segfaults (breaks Gnome apps)

Date: Sun, 24 Aug 2008 09:27:50 +0200

Mike Hommey wrote:
> Now, try changing your gnome theme and re-run galeon ; if i'm correct,
> it shouldn't crash. Can you tell me what package this svg file belongs
> to ?
>   

Yes, the segfaults happen only in the "Gorilla" and "Wasp" themes (apps 
did start when running the Amaranth, Clearlooks, Crux, Glider, Glossy, 
Industrial, Lush, Mist, Nuvola, SphereCrystal themes).

With Gorilla the svg file in question is 
/usr/share/icons/Gorilla/scalable/actions/gtk-jump-to-ltr.svg

# dpkgS is a script which resolves symlinks and then looks it up with dpkg -S
chris@novo:~$ dpkgS /usr/share/icons/Gorilla/scalable/actions/gtk-jump-to-ltr.svg
gnome-themes-extras: /usr/share/icons/Gorilla/scalable/actions/go-jump.svg
chris@novo:~$ dpkgS /usr/share/icons/Wasp/scalable/actions/gtk-go-back-ltr.svg
gnome-themes-extras: /usr/share/icons/Wasp/scalable/actions/go-previous.svg

chris@novo:/tmp/chris$ xmllint /usr/share/icons/Gorilla/scalable/actions/gtk-jump-to-ltr.svg > svg
chris@novo:/tmp/chris$ echo $?
0


What this file does *not* share with the one from the Wasp theme, is 
that xmllint not even outputs a warning.

Not sure what to conclude from this. Except that it might be a bug in 
one of these packages:

$ dpkgS /usr/lib/librsvg-2.so.2
librsvg2-2: /usr/lib/librsvg-2.so.2.22.2
$ dpkgS /usr/lib/gtk-2.0/2.10.0/loaders/svg_loader.so
librsvg2-common: /usr/lib/gtk-2.0/2.10.0/loaders/svg_loader.so


> PS: You galeon crash with the unstable version is unrelated.
>   

Are you sure? Why? Galeon did't segfault for me on quit before the 
latest upgrade (sure, Galeon itself or any of it's other dependencies 
could also have been upgraded).

Message #59 received at 496125@bugs.debian.org (full text, mbox, reply):

From: Mike Hommey <mh@glandium.org>

To: Walter <we3@federatedrobotics.com>, 496125@bugs.debian.org

Subject: Re: [xml/sgml-pkgs] Bug#496125: Bug#496125: libxml2: security fix does double free / segfaults (breaks Gnome apps)

Date: Sun, 24 Aug 2008 09:31:41 +0200

On Sat, Aug 23, 2008 at 11:38:09PM -0500, Walter wrote:
> I'm running etch and it seems like it is being affected by this bug
> also. Just after updating libxml2 to 2.6.27.dfsg-3 I was unable to open
> any files with eog, nor eog alone. No error messages when run from the
> command line, no pop ups. Upon rebooting gdm started but when starting
> gnome, it would hang for a little while at starting the window manager,
> and then stop with the top and bottom panels drawn with nothing in them,
> no menus, icons, or applets, just blank panels. No response from the
> panels.
> 
> Downgrading from 2.6.27.dfsg-3 back to 2.6.27.dfsg-2 fixed the problem.

Are you using the Wasp theme ?

Mike

Message #64 received at 496125@bugs.debian.org (full text, mbox, reply):

From: Mike Hommey <mh@glandium.org>

To: Christian Jaeger <christian@jaeger.mine.nu>

Cc: 496125@bugs.debian.org

Subject: Re: [xml/sgml-pkgs] Bug#496125: libxml2: security fix does double free / segfaults (breaks Gnome apps)

Date: Sun, 24 Aug 2008 09:54:10 +0200

On Sun, Aug 24, 2008 at 09:27:50AM +0200, Christian Jaeger wrote:
> Mike Hommey wrote:
>> Now, try changing your gnome theme and re-run galeon ; if i'm correct,
>> it shouldn't crash. Can you tell me what package this svg file belongs
>> to ?
>>   
>
> Yes, the segfaults happen only in the "Gorilla" and "Wasp" themes (apps  
> did start when running the Amaranth, Clearlooks, Crux, Glider, Glossy,  
> Industrial, Lush, Mist, Nuvola, SphereCrystal themes).
>
> With Gorilla the svg file in question is  
> /usr/share/icons/Gorilla/scalable/actions/gtk-jump-to-ltr.svg
>
> # dpkgS is a script which resolves symlinks and then looks it up with dpkg -S
> chris@novo:~$ dpkgS /usr/share/icons/Gorilla/scalable/actions/gtk-jump-to-ltr.svg
> gnome-themes-extras: /usr/share/icons/Gorilla/scalable/actions/go-jump.svg
> chris@novo:~$ dpkgS /usr/share/icons/Wasp/scalable/actions/gtk-go-back-ltr.svg
> gnome-themes-extras: /usr/share/icons/Wasp/scalable/actions/go-previous.svg
>
> chris@novo:/tmp/chris$ xmllint /usr/share/icons/Gorilla/scalable/actions/gtk-jump-to-ltr.svg > svg
> chris@novo:/tmp/chris$ echo $?
> 0
>
>
> What this file does *not* share with the one from the Wasp theme, is  
> that xmllint not even outputs a warning.
>
> Not sure what to conclude from this. Except that it might be a bug in  
> one of these packages:
>
> $ dpkgS /usr/lib/librsvg-2.so.2
> librsvg2-2: /usr/lib/librsvg-2.so.2.22.2
> $ dpkgS /usr/lib/gtk-2.0/2.10.0/loaders/svg_loader.so
> librsvg2-common: /usr/lib/gtk-2.0/2.10.0/loaders/svg_loader.so
>
>
>> PS: You galeon crash with the unstable version is unrelated.
>>   
>
> Are you sure? Why? Galeon did't segfault for me on quit before the  
> latest upgrade (sure, Galeon itself or any of it's other dependencies  
> could also have been upgraded).

Take a look at the backtrace, it doesn't involve libxml2.

Message #69 received at 496125@bugs.debian.org (full text, mbox, reply):

From: Christian Jaeger <christian@jaeger.mine.nu>

To: Mike Hommey <mh@glandium.org>

Cc: 496125@bugs.debian.org

Subject: Re: [xml/sgml-pkgs] Bug#496125: libxml2: security fix does double free / segfaults (breaks Gnome apps)

Date: Sun, 24 Aug 2008 10:05:58 +0200

Christian Jaeger wrote:
> Not sure what to conclude from this. Except that it might be a bug in 
> one of these packages:
>
> $ dpkgS /usr/lib/librsvg-2.so.2
> librsvg2-2: /usr/lib/librsvg-2.so.2.22.2
> $ dpkgS /usr/lib/gtk-2.0/2.10.0/loaders/svg_loader.so
> librsvg2-common: /usr/lib/gtk-2.0/2.10.0/loaders/svg_loader.so

With the problematic libxml2, rsvg-view segfaults, too:

$ LD_LIBRARY_PATH=/usr/lib/debug with-gdb-backtrace-to rsvg-view rsvg-view /usr/share/icons/Wasp/scalable/actions/gtk-go-back-ltr.svg
with-gdb-backtrace-to: application generated a backtrace

See attachment. (As already mentioned, the *rsvg* packages do not seem to offer any debugging symbols.)

What's the best way to inform/involve the librsvg maintainer(s), open a separate bug report there?

Christian.

Message #74 received at 496125@bugs.debian.org (full text, mbox, reply):

From: Christian Jaeger <christian@jaeger.mine.nu>

To: Mike Hommey <mh@glandium.org>

Cc: 496125@bugs.debian.org

Subject: Re: [xml/sgml-pkgs] Bug#496125: libxml2: security fix does double free / segfaults (breaks Gnome apps)

Date: Sun, 24 Aug 2008 10:10:58 +0200

Mike Hommey wrote:
>>> PS: You galeon crash with the unstable version is unrelated.
>>>   
>>>       
>> Are you sure? Why? Galeon did't segfault for me on quit before the  
>> latest upgrade (sure, Galeon itself or any of it's other dependencies  
>> could also have been upgraded).
>>     
>
> Take a look at the backtrace, it doesn't involve libxml2.
>   

Yes sure. And that segfault happened with the *non*-problematic libxml2 
version. I should have been a little more clear: my whole point there 
was that *another* change than the one in libxml2 might have introduced 
a problem, which is just exhibited by the new libxml2. As we don't know 
whether it's libxml2's fault or the fault of another library, I have to 
mention every other breakage, too.

Now you may be right and it's not "related" to libxml2 in the sense that 
libxml2 might not be at fault for those issues, *but* those segfaults 
might be very well related in the sense that they might lead us to the 
very same cause leading to the segfaults we see inside libxml2. So your 
conclusion to not further look at those crashes can't be definitive 
(with our current knowledge).

Christian.

Message #79 received at 496125@bugs.debian.org (full text, mbox, reply):

From: Mike Hommey <mh@glandium.org>

To: Christian Jaeger <christian@jaeger.mine.nu>, 496125@bugs.debian.org

Subject: Re: [xml/sgml-pkgs] Bug#496125: Bug#496125: libxml2: security fix does double free / segfaults (breaks Gnome apps)

Date: Sun, 24 Aug 2008 10:10:54 +0200

On Sun, Aug 24, 2008 at 09:27:50AM +0200, Christian Jaeger wrote:
> Mike Hommey wrote:
> > Now, try changing your gnome theme and re-run galeon ; if i'm correct,
> > it shouldn't crash. Can you tell me what package this svg file belongs
> > to ?
> >   
> 
> Yes, the segfaults happen only in the "Gorilla" and "Wasp" themes (apps 
> did start when running the Amaranth, Clearlooks, Crux, Glider, Glossy, 
> Industrial, Lush, Mist, Nuvola, SphereCrystal themes).
> 
> With Gorilla the svg file in question is 
> /usr/share/icons/Gorilla/scalable/actions/gtk-jump-to-ltr.svg
> 
> # dpkgS is a script which resolves symlinks and then looks it up with dpkg -S
> chris@novo:~$ dpkgS /usr/share/icons/Gorilla/scalable/actions/gtk-jump-to-ltr.svg
> gnome-themes-extras: /usr/share/icons/Gorilla/scalable/actions/go-jump.svg
> chris@novo:~$ dpkgS /usr/share/icons/Wasp/scalable/actions/gtk-go-back-ltr.svg
> gnome-themes-extras: /usr/share/icons/Wasp/scalable/actions/go-previous.svg
> 
> chris@novo:/tmp/chris$ xmllint /usr/share/icons/Gorilla/scalable/actions/gtk-jump-to-ltr.svg > svg
> chris@novo:/tmp/chris$ echo $?
> 0
> 
> 
> What this file does *not* share with the one from the Wasp theme, is 
> that xmllint not even outputs a warning.
> 
> Not sure what to conclude from this. Except that it might be a bug in 
> one of these packages:
> 
> $ dpkgS /usr/lib/librsvg-2.so.2
> librsvg2-2: /usr/lib/librsvg-2.so.2.22.2
> $ dpkgS /usr/lib/gtk-2.0/2.10.0/loaders/svg_loader.so
> librsvg2-common: /usr/lib/gtk-2.0/2.10.0/loaders/svg_loader.so

So... the culprit is just librsvg that creates xmlEntity objects not
through the API, but by malloc'ing a buffer of sizeof(xmlEntity).
This struct has gained a member in the security update, breaking rsvg's
assumptions...

A BinNMU of librsvg against libxml2-dev 2.6.32.dfsg-2+lenny1 should
solve the issue (and won't break compatibility with older libxml2, since
older libxml2 will be happy with a too big buffer)

Mike

Message #84 received at 496125@bugs.debian.org (full text, mbox, reply):

From: Christian Jaeger <christian@jaeger.mine.nu>

To: 496125@bugs.debian.org

Subject: Re: [xml/sgml-pkgs] Bug#496125: libxml2: security fix does double free / segfaults (breaks Gnome apps)

Date: Sun, 24 Aug 2008 10:15:38 +0200

[Message part 1 (text/plain, inline)]

Christian Jaeger wrote:
> $ LD_LIBRARY_PATH=/usr/lib/debug with-gdb-backtrace-to rsvg-view 
> rsvg-view /usr/share/icons/Wasp/scalable/actions/gtk-go-back-ltr.svg
> with-gdb-backtrace-to: application generated a backtrace
>
> See attachment. (As already mentioned, the *rsvg* packages do not seem 
> to offer any debugging symbols.)

Forgot it, here it is, just in case.

[rsvg-view_backtrace.txt (text/plain, inline)]

#0  0x00007f2dbc9725c8 in _int_free (av=0x7f2dbcc4b9e0, mem=0x63d360) at malloc.c:4663
	p = (mchunkptr) 0x63d350
	size = 320
	nextchunk = (mchunkptr) 0x63d490
	nextsize = 144
	prevsize = <value optimized out>
	bck = (mchunkptr) 0x11
	fwd = (mchunkptr) 0x0
	errstr = 0x7f2dbca1a8d8 "double free or corruption (!prev)"
#1  0x00007f2dbc972a76 in *__GI___libc_free (mem=0x63d360) at malloc.c:3626
	ar_ptr = (mstate) 0x7f2dbcc4b9e0
	p = (mchunkptr) 0x1
	hook = <value optimized out>
#2  0x00007f2db9536065 in xmlParseEntityDecl__internal_alias (ctxt=0x63ba20) at parser.c:4809
	name = (const xmlChar *) 0x63ce43 "ns_flows"
	value = (xmlChar *) 0x63d360 "http://ns.adobe.com/Flows/1.0/"
	URI = <value optimized out>
	literal = (xmlChar *) 0x0
	ndata = <value optimized out>
	isParameter = 0
	orig = (xmlChar *) 0x63d2f0 "http://ns.adobe.com/Flows/1.0/"
	skipped = <value optimized out>
	oldnbent = 0
#3  0x00007f2db95367e6 in xmlParseMarkupDecl__internal_alias (ctxt=0x7f2dbcc4b9e0) at parser.c:5947
No locals.
#4  0x00007f2db953687e in xmlParseInternalSubset (ctxt=0x63ba20) at parser.c:7310
No locals.
#5  0x00007f2db9537626 in xmlParseChunk__internal_alias (ctxt=0x63ba20, chunk=<value optimized out>, size=<value optimized out>, terminate=0) at parser.c:10782
	end_in_lf = 0
#6  0x00007f2dbce91cd0 in ?? () from /usr/lib/librsvg-2.so.2
No symbol table info available.
#7  0x00000000004036d4 in ?? ()
No symbol table info available.
#8  0x0000000000404a7b in ?? ()
No symbol table info available.
#9  0x00007f2dbc91b1a6 in __libc_start_main (main=0x4042a0 <g_option_context_set_help_enabled@plt+3344>, argc=2, ubp_av=0x7fffc6758bd8, init=0x4053d0 <g_option_context_set_help_enabled@plt+7744>, fini=<value optimized out>, rtld_fini=<value optimized out>, stack_end=0x7fffc6758bc8) at libc-start.c:222
	result = <value optimized out>
	unwind_buf = {cancel_jmp_buf = {{jmp_buf = {4215760, -299704315845673451, 4208032, 140736522980304, 0, 0, 299683336656125461, 399771022013758997}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x2, 0x4042a0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 2}}}
	not_first_call = <value optimized out>
#10 0x00000000004035c9 in ?? ()
No symbol table info available.
#11 0x00007fffc6758bc8 in ?? ()
No symbol table info available.
#12 0x000000000000001c in ?? ()
No symbol table info available.
#13 0x0000000000000002 in ?? ()
No symbol table info available.
#14 0x00007fffc675a6f8 in ?? ()
No symbol table info available.
#15 0x0000000000000000 in ?? ()
No symbol table info available.
The program is running.  Exit anyway? (y or n) [answered Y; input not from terminal]

Message #89 received at 496125@bugs.debian.org (full text, mbox, reply):

From: Walter <we3@federatedrobotics.com>

To: Christian Jaeger <christian@jaeger.mine.nu>

Cc: 496125@bugs.debian.org, Mike Hommey <mh@glandium.org>

Subject: Re: libxml2 Gnome problem on 64bit only? + theme

Date: Sun, 24 Aug 2008 04:16:18 -0500

I updated the kernel at the same time to 2.6.18.dfsg.1-22etch2, but I'm
guessing that's not it.

I'm running an AMD Phenom 9500(it's quad core), but I'm running all
32-bit, including a k7 kernel.

In regard to mike's question, the theme is Gorilla.

On Sun, 2008-08-24 at 08:52 +0200, Christian Jaeger wrote:
> My first guess was a recently introduced breakage/incompatibility in 
> glibc or similar library, but that sounds implausible as the bug also 
> manifests itself in etch (which other packages than libxml2 have changed 
> with the recent update in etch? none of the dependencies of Gnome apps, 
> right?).
> 
> My second guess would be a multithreading issue. So I've checked here 
> with one of the cores of the Core 2 duo disabled (and also with 
> frequency scaling set to fixed 2.5 Ghz as well as 800Mhz), but that 
> brought no change. (That doesn't preclude a multithreading issue; just 
> that people with a single-core CPU should generally be able to see the 
> problem too.)
> 
> I wonder if only people on 64bit machines are seeing the problem? Maybe 
> everyone contributing to the bug report could mention which kind of CPU 
> they are testing on and whether they can reproduce the issue or not.
> 
> Christian.
> 
> 

Message #94 received at 496125@bugs.debian.org (full text, mbox, reply):

From: Christian Jaeger <christian@jaeger.mine.nu>

To: Mike Hommey <mh@glandium.org>

Cc: 496125@bugs.debian.org

Subject: Re: [xml/sgml-pkgs] Bug#496125: Bug#496125: libxml2: security fix does double free / segfaults (breaks Gnome apps)

Date: Sun, 24 Aug 2008 11:40:22 +0200

Mike Hommey wrote:
> A BinNMU of librsvg against libxml2-dev 2.6.32.dfsg-2+lenny1 should
> solve the issue (and won't break compatibility with older libxml2, since
> older libxml2 will be happy with a too big buffer)
>   

I can confirm that installing a librsvg from lenny rebuilt against the 
new libxml2-dev works.

# installing rebuilt librsvg2-2, librsvg2-bin, librsvg2-common, librsvg2-dev
(Reading database ... 236708 files and directories currently installed.)
Preparing to replace librsvg2-2 2.22.2-2 (using librsvg2-2_2.22.2-2.cj_amd64.deb) ...
Unpacking replacement librsvg2-2 ...
Preparing to replace librsvg2-bin 2.22.2-2 (using librsvg2-bin_2.22.2-2.cj_amd64.deb) ...
Unpacking replacement librsvg2-bin ...
Preparing to replace librsvg2-common 2.22.2-2 (using librsvg2-common_2.22.2-2.cj_amd64.deb) ...
Unpacking replacement librsvg2-common ...
Preparing to replace librsvg2-dev 2.22.2-2 (using librsvg2-dev_2.22.2-2.cj_amd64.deb) ...
Unpacking replacement librsvg2-dev ...
Setting up librsvg2-2 (2.22.2-2.cj) ...
Setting up librsvg2-bin (2.22.2-2.cj) ...
Setting up librsvg2-common (2.22.2-2.cj) ...
Setting up librsvg2-dev (2.22.2-2.cj) ...

eog, galeon and gnome-appearance-properties don't segfault anymore (interestingly, 
now I also couldn't get galeon to segfault on quit anymore on quit so far!).

Christian.

Message #99 received at 496125@bugs.debian.org (full text, mbox, reply):

From: George Kiagiadakis <gkiagiad@csd.uoc.gr>

To: 496125@bugs.debian.org

Subject: strigi & dolphin affected too

Date: Sun, 24 Aug 2008 12:50:04 +0300

[Message part 1 (text/plain, inline)]

This bug also affects strigi which unfortunately uses libxml2 too. This causes 
applications that depend on strigi to crash too (like dolphin from kde4). In 
dolphin, if you try to mouseover any file, it crashes with the following 
backtrace:

Application: Dolphin (dolphin), signal SIGSEGV                      
[Thread debugging using libthread_db enabled]                       
[New Thread 0x7f53a8a02780 (LWP 27320)]                             
[KCrash handler]                                                    
#5  0x00007f53a535a5c8 in _int_free () from /lib/libc.so.6          
#6  0x00007f53a535aa76 in free () from /lib/libc.so.6               
#7  0x00007f53a0291054 in xmlParseEntityDecl () from /usr/lib/libxml2.so.2
#8  0x00007f53a02917e6 in xmlParseMarkupDecl () from /usr/lib/libxml2.so.2
#9  0x00007f53a029187e in ?? () from /usr/lib/libxml2.so.2                
#10 0x00007f53a0292626 in xmlParseChunk () from /usr/lib/libxml2.so.2     
#11 0x00007f53a451640d in Strigi::FieldPropertiesDb::Private::parseProperties
    () from /usr/lib/libstreamanalyzer.so.0                                  
#12 0x00007f53a4516842 in Strigi::FieldPropertiesDb::Private::loadProperties 
    () from /usr/lib/libstreamanalyzer.so.0                                  
#13 0x00007f53a4519251 in Strigi::FieldPropertiesDb::Private::Private ()     
   from /usr/lib/libstreamanalyzer.so.0                                      
#14 0x00007f53a4519f76 in Strigi::FieldPropertiesDb::FieldPropertiesDb ()    
   from /usr/lib/libstreamanalyzer.so.0                                      
#15 0x00007f53a4519fd4 in Strigi::FieldPropertiesDb::db ()                   
   from /usr/lib/libstreamanalyzer.so.0                                      
#16 0x00007f53a451e815 in Strigi::FieldRegister::registerField ()            
   from /usr/lib/libstreamanalyzer.so.0                                      
#17 0x00007f53a451ea0a in Strigi::FieldRegister::FieldRegister ()            
   from /usr/lib/libstreamanalyzer.so.0                                      
#18 0x00007f53a4509e04 in Strigi::AnalyzerConfiguration::AnalyzerConfiguration
    () from /usr/lib/libstreamanalyzer.so.0                                   
#19 0x00007f53a8131956 in PredicatePropertyProvider (this=0xf2e810)           
    at /build/buildd/kde4libs-4.1.0/kio/kio/predicateproperties.cpp:116       
#20 0x00007f53a8131b12 in PredicatePropertyProvider::self ()                  
    at /build/buildd/kde4libs-4.1.0/kio/kio/predicateproperties.cpp:104       
#21 0x00007f53a80f3e10 in KFileMetaInfoPrivate::init (this=0xe46e80,          
    stream=@0x7fffb0b396f0, url=@0x7fffb0b396e0, mtime=1214391724)            
    at /build/buildd/kde4libs-4.1.0/kio/kio/kfilemetainfo.cpp:194             
#22 0x00007f53a80f5ecf in KFileMetaInfo (this=0x7fffb0b39880,                 
    path=@0x7fffb0b39890)                                                     
    at /build/buildd/kde4libs-4.1.0/kio/kio/kfilemetainfo.cpp:224             
#23 0x000000000043efcb in InfoSidebarPage::showMetaInfo (this=0xabe730)       
    at /tmp/buildd/kdebase-4.1.0/apps/dolphin/src/infosidebarpage.cpp:388     
#24 0x000000000043f3c1 in InfoSidebarPage::showItemInfo (this=0xabe730)       
    at /tmp/buildd/kdebase-4.1.0/apps/dolphin/src/infosidebarpage.cpp:223     
#25 0x000000000043fc68 in InfoSidebarPage::qt_metacall (this=0xabe730,        
    _c=QMetaObject::InvokeMetaMethod, _id=17, _a=0x7fffb0b39bf0)              
    at /tmp/buildd/kdebase-4.1.0/obj-x86_64-linux-
gnu/apps/dolphin/src/infosidebarpage.moc:93
#26 0x00007f53a5fdb474 in QMetaObject::activate (sender=0x7a0870,                            
    from_signal_index=<value optimized out>, to_signal_index=4, argv=0x0)                    
    at kernel/qobject.cpp:3016                                                               
#27 0x00007f53a5fd5d83 in QObject::event (this=0x7a0870, e=0x7f53a54028d8)                   
    at kernel/qobject.cpp:1105                                                               
#28 0x00007f53a66e641d in QApplicationPrivate::notify_helper (this=0x68bf70,                 
    receiver=0x7a0870, e=0x7fffb0b3a290) at kernel/qapplication.cpp:3800                     
#29 0x00007f53a66ee17a in QApplication::notify (this=0x7fffb0b3a5d0,                         
    receiver=0x7a0870, e=0x7fffb0b3a290) at kernel/qapplication.cpp:3765                     
#30 0x00007f53a7bdac0b in KApplication::notify (this=0x7fffb0b3a5d0,                         
    receiver=0x7a0870, event=0x7fffb0b3a290)                                                 
    at /build/buildd/kde4libs-4.1.0/kdeui/kernel/kapplication.cpp:311                        
#31 0x00007f53a5fc711f in QCoreApplication::notifyInternal (                                 
    this=0x7fffb0b3a5d0, receiver=0x7a0870, event=0x7fffb0b3a290)                            
    at kernel/qcoreapplication.cpp:591                                                       
#32 0x00007f53a5ff2fa6 in QTimerInfoList::activateTimers (this=0x68f480)                     
    at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:215
#33 0x00007f53a5fef4fd in timerSourceDispatch (source=<value optimized out>)
    at kernel/qeventdispatcher_glib.cpp:166
#34 0x00007f53a2134892 in IA__g_main_context_dispatch (context=0x68e890)
    at /build/buildd/glib2.0-2.16.4/glib/gmain.c:2012
#35 0x00007f53a213801d in g_main_context_iterate (context=0x68e890, block=1,
    dispatch=1, self=<value optimized out>)
    at /build/buildd/glib2.0-2.16.4/glib/gmain.c:2645
#36 0x00007f53a21381db in IA__g_main_context_iteration (context=0x68e890,
    may_block=1) at /build/buildd/glib2.0-2.16.4/glib/gmain.c:2708
#37 0x00007f53a5fef45f in QEventDispatcherGlib::processEvents (this=0x68b380,
    flags=<value optimized out>) at kernel/qeventdispatcher_glib.cpp:325
#38 0x00007f53a677786f in QGuiEventDispatcherGlib::processEvents (
    this=0x7f53a56339e0, flags=<value optimized out>)
    at kernel/qguieventdispatcher_glib.cpp:204
#39 0x00007f53a5fc5a42 in QEventLoop::processEvents (
    this=<value optimized out>, flags={i = -1330404096})
    at kernel/qeventloop.cpp:149
#40 0x00007f53a5fc5bcd in QEventLoop::exec (this=0x7fffb0b3a540, flags=
      {i = -1330404016}) at kernel/qeventloop.cpp:200
#41 0x00007f53a5fc807d in QCoreApplication::exec ()
    at kernel/qcoreapplication.cpp:849
#42 0x000000000044179d in main (argc=6, argv=0x7fffb0b3aab8)
    at /tmp/buildd/kdebase-4.1.0/apps/dolphin/src/main.cpp:94
#0  0x00007f53a53830b0 in __nanosleep_nocancel () from /lib/libc.so.6


The wierd thing about this backtrace is that after I installed libxml2-dbg to 
get a better backtrace, the backtrace changed and libxml2 doesn't show up 
anymore... plus that it now crashes with SIGABRT. Here are the first stack 
frames (the rest is like before):

Application: Dolphin (dolphin), signal SIGABRT
[Thread debugging using libthread_db enabled]
[New Thread 0x7f860e7a0780 (LWP 1112)]
[KCrash handler]
#5  0x00007f860b0b4ef5 in raise () from /lib/libc.so.6
#6  0x00007f860b0b6413 in abort () from /lib/libc.so.6
#7  0x00007f860b0f13e8 in __libc_message () from /lib/libc.so.6
#8  0x00007f860b0f6968 in malloc_printerr () from /lib/libc.so.6
#9  0x00007f860b0f8a76 in free () from /lib/libc.so.6
#10 0x00007f860a2b448a in Strigi::FieldPropertiesDb::Private::parseProperties
    () from /usr/lib/libstreamanalyzer.so.0
#11 0x00007f860a2b4842 in Strigi::FieldPropertiesDb::Private::loadProperties
    () from /usr/lib/libstreamanalyzer.so.0
#12 0x00007f860a2b7251 in Strigi::FieldPropertiesDb::Private::Private ()
   from /usr/lib/libstreamanalyzer.so.0

Anyway, I am sure libxml2 is the problem because downgrading libxml2 to 
2.6.32.dfsg-2 solves the problem.

[Message part 2 (text/html, inline)]

Message #112 received at 496125@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Kasper <manu@fra.net>

To: Debian Bug Tracking System <496125@bugs.debian.org>

Subject: libxml2 problem confirmed on different platform: etch ppc

Date: Mon, 25 Aug 2008 08:39:13 +0200

Package: libxml2
Followup-For: Bug #496125

Hello
Sorry for the me-too of this report, but I can confirm this bug on debian
etch running on a single processor ppc (G4) 32 bits platform.
It happens I also use the Gorilla theme, and the symptoms were exactly those
reported in message 39 of this bug report:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496125#39

I downgraded to lixml2 from 2.6.27.dfsg-3 to 2.6.27.dfsg-2 and the problem does not appear.

For people reading ths bug report: the procedure to downgrade a security fix
is documented here ( that's what I used )

http://wiki.debian.org/RollbackUpdate 

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: powerpc (ppc)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-powerpc
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)

Versions of packages libxml2 depends on:
ii  libc6                  2.3.6.ds1-13etch7 GNU C Library: Shared libraries
ii  zlib1g                 1:1.2.3-13        compression library - runtime

Versions of packages libxml2 recommends:
ii  xml-core                      0.09-0.1   XML infrastructure and XML catalog

-- no debconf information

Message #119 received at 496125@bugs.debian.org (full text, mbox, reply):

From: Sam Morris <sam@robots.org.uk>

To: 496125@bugs.debian.org

Subject: Packages affected by libxml2 update

Date: Mon, 25 Aug 2008 17:57:33 +0100

[Message part 1 (text/plain, inline)]

Does anyone know of any reverse-dependencies that were broken by the
libxml2 update other than strigi and librsvg?

librsvg should certainly be fixed to use the public API for creating
xmlEntity objects... has anyone investigated strigi/qt to see whether it
is guilty of the same crime? :)

-- 
Sam Morris
http://robots.org.uk/

PGP key id 1024D/5EA01078
3412 EA18 1277 354B 991B  C869 B219 7FDB 5EA0 1078

[signature.asc (application/pgp-signature, inline)]

Message #124 received at 496125@bugs.debian.org (full text, mbox, reply):

From: Mike Hommey <mh@glandium.org>

To: Sam Morris <sam@robots.org.uk>, 496125@bugs.debian.org

Subject: Re: [xml/sgml-pkgs] Bug#496125: Packages affected by libxml2 update

Date: Mon, 25 Aug 2008 19:44:38 +0200

On Mon, Aug 25, 2008 at 05:57:33PM +0100, Sam Morris wrote:
> Does anyone know of any reverse-dependencies that were broken by the
> libxml2 update other than strigi and librsvg?
> 
> librsvg should certainly be fixed to use the public API for creating
> xmlEntity objects... has anyone investigated strigi/qt to see whether it
> is guilty of the same crime? :)

Isn't it indirectly depending on librsvg ?

Mike

Message #129 received at 496125@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: 496125@bugs.debian.org

Subject: More potentially affected packages

Date: Mon, 25 Aug 2008 20:54:40 +0200

[also posted to oss-security.]

It's unclear if struct xmlEntity (especially its external allocation) is
part of the public API or not.

liferea 1.4.16b has this:

  src/xml.c:                    entity = (xmlEntityPtr)g_new0 (xmlEntity, 1);

PHP 5.2.6 has this:

  ext/dom/dom_iterators.c:61:      ret = (xmlEntityPtr) xmlMalloc(sizeof(xmlEntity));
  ext/dom/dom_iterators.c:62:      memset(ret, 0, sizeof(xmlEntity));

QT 4.4.0 has this (with an instructive comment in front of it):

  src/3rdparty/webkit/WebCore/dom/XMLTokenizer.cpp:static xmlEntity sharedXHTMLEntity = {

(This is not the result of an exhaustive search.)

Message #134 received at 496125@bugs.debian.org (full text, mbox, reply):

From: Chris Burkhardt <chris@mretc.net>

To: Mike Hommey <mh@glandium.org>, 496125@bugs.debian.org

Subject: Re: Bug#496125: [xml/sgml-pkgs] Bug#496125: Packages affected by libxml2 update

Date: Mon, 25 Aug 2008 13:36:15 -0600

Mike Hommey wrote:
> On Mon, Aug 25, 2008 at 05:57:33PM +0100, Sam Morris wrote:
>   
>> Does anyone know of any reverse-dependencies that were broken by the
>> libxml2 update other than strigi and librsvg?
>>
>> librsvg should certainly be fixed to use the public API for creating
>> xmlEntity objects... has anyone investigated strigi/qt to see whether it
>> is guilty of the same crime? :)
>>     
>
> Isn't it indirectly depending on librsvg ?
>   

librsvg doesn't seem to be involved in Christian's backtrace of Dolphin
in message #99. And in strigi/src/streamanalyzer/fieldpropertiesdb.cpp I
find:

403:        newEntity = new xmlEntity;
404:        memset(newEntity, 0 , sizeof(xmlEntity));

(http://websvn.kde.org/trunk/kdesupport/strigi/src/streamanalyzer/fieldpropertiesdb.cpp?view=markup)

- Chris Burkhardt

Message #139 received at 496125@bugs.debian.org (full text, mbox, reply):

From: Mike Hommey <mh@glandium.org>

To: Chris Burkhardt <chris@mretc.net>

Cc: 496125@bugs.debian.org

Subject: Re: Bug#496125: [xml/sgml-pkgs] Bug#496125: Packages affected by libxml2 update

Date: Mon, 25 Aug 2008 21:39:16 +0200

On Mon, Aug 25, 2008 at 01:36:15PM -0600, Chris Burkhardt wrote:
> Mike Hommey wrote:
> > On Mon, Aug 25, 2008 at 05:57:33PM +0100, Sam Morris wrote:
> >   
> >> Does anyone know of any reverse-dependencies that were broken by the
> >> libxml2 update other than strigi and librsvg?
> >>
> >> librsvg should certainly be fixed to use the public API for creating
> >> xmlEntity objects... has anyone investigated strigi/qt to see whether it
> >> is guilty of the same crime? :)
> >>     
> >
> > Isn't it indirectly depending on librsvg ?
> >   
> 
> librsvg doesn't seem to be involved in Christian's backtrace of Dolphin
> in message #99. And in strigi/src/streamanalyzer/fieldpropertiesdb.cpp I
> find:
> 
> 403:        newEntity = new xmlEntity;
> 404:        memset(newEntity, 0 , sizeof(xmlEntity));
> 
> (http://websvn.kde.org/trunk/kdesupport/strigi/src/streamanalyzer/fieldpropertiesdb.cpp?view=markup)

Damn stupid API abusers.

Mike

Message #146 received at 496125-close@bugs.debian.org (full text, mbox, reply):

From: Mike Hommey <glandium@debian.org>

To: 496125-close@bugs.debian.org

Subject: Bug#496125: fixed in libxml2 2.6.32.dfsg-3

Date: Mon, 25 Aug 2008 21:18:55 +0000

Source: libxml2
Source-Version: 2.6.32.dfsg-3

We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive:

libxml2-dbg_2.6.32.dfsg-3_amd64.deb
  to pool/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-3_amd64.deb
libxml2-dev_2.6.32.dfsg-3_amd64.deb
  to pool/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-3_amd64.deb
libxml2-doc_2.6.32.dfsg-3_all.deb
  to pool/main/libx/libxml2/libxml2-doc_2.6.32.dfsg-3_all.deb
libxml2-utils_2.6.32.dfsg-3_amd64.deb
  to pool/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-3_amd64.deb
libxml2_2.6.32.dfsg-3.diff.gz
  to pool/main/libx/libxml2/libxml2_2.6.32.dfsg-3.diff.gz
libxml2_2.6.32.dfsg-3.dsc
  to pool/main/libx/libxml2/libxml2_2.6.32.dfsg-3.dsc
libxml2_2.6.32.dfsg-3_amd64.deb
  to pool/main/libx/libxml2/libxml2_2.6.32.dfsg-3_amd64.deb
python-libxml2_2.6.32.dfsg-3_amd64.deb
  to pool/main/libx/libxml2/python-libxml2_2.6.32.dfsg-3_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 496125@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mike Hommey <glandium@debian.org> (supplier of updated libxml2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 25 Aug 2008 22:01:17 +0200
Source: libxml2
Binary: libxml2 libxml2-utils libxml2-dev libxml2-dbg libxml2-doc python-libxml2
Architecture: source all amd64
Version: 2.6.32.dfsg-3
Distribution: unstable
Urgency: high
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Mike Hommey <glandium@debian.org>
Description: 
 libxml2    - GNOME XML library
 libxml2-dbg - Debugging symbols for the GNOME XML library
 libxml2-dev - Development files for the GNOME XML library
 libxml2-doc - Documentation for the GNOME XML library
 libxml2-utils - XML utilities
 python-libxml2 - Python bindings for the GNOME XML library
Closes: 496125
Changes: 
 libxml2 (2.6.32.dfsg-3) unstable; urgency=high
 .
   * Fix DoS which leads to recursive evaluation of entities.
     Fixes: CVE-2008-3281, without breaking librsvg and others. Closes: #496125.
Checksums-Sha1: 
 2e760d367906f7ef0e0f95f2ac402e8729c76e65 1316 libxml2_2.6.32.dfsg-3.dsc
 3daaf05086eb21bb9241e9534c2d8d44574a054f 80290 libxml2_2.6.32.dfsg-3.diff.gz
 9150d6354a635148615673330d4dbe2a54a72b64 1341996 libxml2-doc_2.6.32.dfsg-3_all.deb
 fdd694cc46a421888403a1633c5510486ac0f1a6 859642 libxml2_2.6.32.dfsg-3_amd64.deb
 ccfc109f58909ea146a796d3d4493714cd0e1815 37392 libxml2-utils_2.6.32.dfsg-3_amd64.deb
 a3bfaee27e74a7843166a0e707dee145d45c24b3 774596 libxml2-dev_2.6.32.dfsg-3_amd64.deb
 320558fc0ddda2a6b5342e2fe10b4c0d16c135ef 988426 libxml2-dbg_2.6.32.dfsg-3_amd64.deb
 81dbe795777d139935b5e2ba943c4cf449e273c9 295344 python-libxml2_2.6.32.dfsg-3_amd64.deb
Checksums-Sha256: 
 1f933b777546bd7cdd95643a6e71c97d7750f6445fba7c461c3afb000db70085 1316 libxml2_2.6.32.dfsg-3.dsc
 b95151d38c86d5cefbad7642b6240e4839c10a19dc4b2bf83d40da2fd29f2526 80290 libxml2_2.6.32.dfsg-3.diff.gz
 f3583b229010e45f46bce230b9d3253258119ce7aa6332ac293d7bfe87b78a8a 1341996 libxml2-doc_2.6.32.dfsg-3_all.deb
 43bb3761e5ae8bc42ec6ff2f508fb9b532a87775728e20e3d1e3f43677e7c489 859642 libxml2_2.6.32.dfsg-3_amd64.deb
 92b56f93a05538b6f4aa28733ac99af0773213c258abb743238167991cfb4a71 37392 libxml2-utils_2.6.32.dfsg-3_amd64.deb
 866e22a3b435dd5737b292e4fda6cf8ff0a2c01d39b888ad4c88f17a67f397b0 774596 libxml2-dev_2.6.32.dfsg-3_amd64.deb
 9c80aa4f100205136da5d6da8c26773c5b05747d152fa769e93c56d25565a17b 988426 libxml2-dbg_2.6.32.dfsg-3_amd64.deb
 7e51a65cfdfe938f4a8eb6b6f172c026bde15ad1cbbbc4c02bb5d1086d7dfd12 295344 python-libxml2_2.6.32.dfsg-3_amd64.deb
Files: 
 302068c096d8fba6725a385e1f9150c9 1316 libs optional libxml2_2.6.32.dfsg-3.dsc
 9f086387f32b036909e263134dabe742 80290 libs optional libxml2_2.6.32.dfsg-3.diff.gz
 4b7bf63100e121ff932966261f574882 1341996 doc optional libxml2-doc_2.6.32.dfsg-3_all.deb
 73ce8c7ead1f98119efdb2544050c732 859642 libs optional libxml2_2.6.32.dfsg-3_amd64.deb
 48e83517e3c85cad0083ad5e6771b643 37392 text optional libxml2-utils_2.6.32.dfsg-3_amd64.deb
 8eac4cbf3a4bee9465181e4c74adb56d 774596 libdevel optional libxml2-dev_2.6.32.dfsg-3_amd64.deb
 4b019ca5522090c118f2b169adb75350 988426 libdevel extra libxml2-dbg_2.6.32.dfsg-3_amd64.deb
 b48a6580d51dc2d0c6ed6a9187065dc0 295344 python optional python-libxml2_2.6.32.dfsg-3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFIsxcZ3kvaLFT9KlgRAjhnAJ42+CZXM97mB9lsUvMcjk7DObchPACgg80U
uyDN/t7LrTLsPht+4WPsKXE=
=so5o
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.