Bug#287371: [xml/sgml-pkgs] Bug#287371: xsltproc: Probable memory leak (when using document()?)

[Vincent Lefevre]

On 2022-02-19 18:28:00 +0100, Vincent Lefevre wrote:
> I'll test again (I've been using a fake DTD for the past 15 years).

This has just happened. The consequence is that several unrelated
processes were killed by the OOM killer, including daemons!

[...]
Apr 25 02:44:53 zira systemd[6589]: dconf.service: A process of this unit has 
been killed by the OOM killer.
Apr 25 02:44:53 zira bluetoothd[241267]: Endpoint unregistered: sender=:1.100 
path=/MediaEndpoint/A2DPSource/ldac_hq
Apr 25 02:44:53 zira systemd[1]: user@1000.service: A process of this unit has 
been killed by the OOM killer.
Apr 25 02:44:53 zira bluetoothd[241267]: Endpoint unregistered: sender=:1.100 
path=/MediaEndpoint/A2DPSource/ldac_sq
Apr 25 02:44:53 zira systemd[6589]: pipewire.service: A process of this unit 
has been killed by the OOM killer.
Apr 25 02:44:53 zira bluetoothd[241267]: Endpoint unregistered: sender=:1.100 
path=/MediaEndpoint/A2DPSource/ldac_mq
Apr 25 02:44:53 zira systemd[6589]: pipewire-media-session.service: A process 
of this unit has been killed by the OOM killer.
Apr 25 02:44:53 zira bluetoothd[241267]: Endpoint unregistered: sender=:1.100 
path=/MediaEndpoint/A2DPSink/aptx_hd
Apr 25 02:44:53 zira systemd[6589]: pulseaudio.service: A process of this unit 
has been killed by the OOM killer.
Apr 25 02:44:53 zira bluetoothd[241267]: Endpoint unregistered: sender=:1.100 
path=/MediaEndpoint/A2DPSource/aptx_hd
Apr 25 02:44:53 zira systemd[6589]: pipewire.service: Main process exited, 
code=killed, status=9/KILL
Apr 25 02:44:53 zira bluetoothd[241267]: Endpoint unregistered: sender=:1.100 
path=/MediaEndpoint/A2DPSink/aptx
Apr 25 02:44:53 zira systemd[6589]: pipewire.service: Failed with result 
'oom-kill'.
Apr 25 02:44:53 zira bluetoothd[241267]: Endpoint unregistered: sender=:1.100 
path=/MediaEndpoint/A2DPSource/aptx
Apr 25 02:44:55 zira systemd[1]: user@1000.service: A process of this unit has 
been killed by the OOM killer.
Apr 25 02:44:53 zira bluetoothd[241267]: Endpoint unregistered: sender=:1.100 
path=/MediaEndpoint/A2DPSink/sbc
Apr 25 02:44:55 zira systemd[1]: session-204.scope: A process of this unit has 
been killed by the OOM killer.
Apr 25 02:44:53 zira bluetoothd[241267]: Endpoint unregistered: sender=:1.100 
path=/MediaEndpoint/A2DPSource/sbc
Apr 25 02:44:55 zira systemd[6589]: Requested transaction contradicts existing 
jobs: Resource deadlock avoided
Apr 25 02:44:53 zira acpid[792]: input device has been disconnected, fd 23
Apr 25 02:44:55 zira systemd[6589]: gpg-agent.service: A process of this unit 
has been killed by the OOM killer.
Apr 25 02:44:55 zira bluetoothd[241267]: Endpoint unregistered: sender=:1.100 
path=/MediaEndpoint/A2DPSink/sbc_xq_453
Apr 25 02:44:55 zira systemd[6589]: dbus.service: A process of this unit has 
been killed by the OOM killer.
Apr 25 02:44:55 zira bluetoothd[241267]: Endpoint unregistered: sender=:1.100 
path=/MediaEndpoint/A2DPSource/sbc_xq_453
Apr 25 02:44:55 zira systemd[6589]: at-spi-dbus-bus.service: A process of this 
unit has been killed by the OOM killer.
Apr 25 02:44:55 zira bluetoothd[241267]: Endpoint unregistered: sender=:1.100 
path=/MediaEndpoint/A2DPSink/sbc_xq_512
Apr 25 02:44:55 zira systemd[6589]: gvfs-daemon.service: A process of this unit 
has been killed by the OOM killer.
Apr 25 02:44:55 zira bluetoothd[241267]: Endpoint unregistered: sender=:1.100 
path=/MediaEndpoint/A2DPSource/sbc_xq_512
Apr 25 02:44:55 zira systemd[6589]: pipewire-media-session.service: Main 
process exited, code=killed, status=9/KILL
Apr 25 02:44:55 zira bluetoothd[241267]: Endpoint unregistered: sender=:1.100 
path=/MediaEndpoint/A2DPSink/sbc_xq_552
Apr 25 02:44:55 zira systemd[6589]: pipewire-media-session.service: Failed with 
result 'oom-kill'.
Apr 25 02:44:55 zira bluetoothd[241267]: Endpoint unregistered: sender=:1.100 
path=/MediaEndpoint/A2DPSource/sbc_xq_552
Apr 25 02:44:55 zira systemd[6589]: Stopped PipeWire Media Session Manager.
Apr 25 02:44:56 zira rtkit-daemon[826]: Successfully made thread 289323 of 
process 289323 owned by '1000' high priority at nice level -11.
Apr 25 02:44:55 zira systemd[6589]: pipewire-media-session.service: Consumed 
3.038s CPU time.
Apr 25 02:44:56 zira rtkit-daemon[826]: Supervising 1 threads of 1 processes of 
1 users.
Apr 25 02:44:55 zira systemd[6589]: dbus.service: Main process exited, 
code=killed, status=9/KILL
Apr 25 02:44:56 zira rtkit-daemon[826]: Supervising 1 threads of 1 processes of 
1 users.
Apr 25 02:44:55 zira systemd[6589]: dbus.service: Failed with result 'oom-kill'.
Apr 25 02:44:56 zira rtkit-daemon[826]: Supervising 1 threads of 1 processes of 
1 users.
Apr 25 02:44:55 zira systemd[6589]: gvfs-daemon.service: Main process exited, 
code=killed, status=9/KILL
Apr 25 02:44:56 zira rtkit-daemon[826]: Supervising 1 threads of 1 processes of 
1 users.
Apr 25 02:44:55 zira systemd[6589]: gvfs-daemon.service: Failed with result 
'oom-kill'.
Apr 25 02:44:56 zira rtkit-daemon[826]: Successfully made thread 289329 of 
process 

Bug#287371: [xml/sgml-pkgs] Bug#287371: xsltproc: Probable memory leak (when using document()?)

[Vincent Lefevre]

On 2022-02-19 18:01:52 +0100, Mattia Rizzolo wrote:
> On Thu, Feb 10, 2022 at 01:08:33PM +0100, Vincent Lefevre wrote:
> > This is no different than CVE-2013-0338 and CVE-2013-0339[*]. The
> > point is that from a small document, one can exhaust the memory
> > of the machine. CVE-2013-0338 and CVE-2013-0339 are about entity
> > expansion, but there are the same consequences with just loading
> > data in memory.
> > 
> > [*] https://www.openwall.com/lists/oss-security/2013/02/22/3
> 
> If you believe so, and you confirmed that it hasn't been fixed in the
> past 15 years, could you please either (or both):
>  * report it to mitre's CVE form
>  * report it in https://gitlab.gnome.org/GNOME/libxml2/-/issues
> ?

I'll test again (I've been using a fake DTD for the past 15 years).

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Bug#287371: [xml/sgml-pkgs] Bug#287371: xsltproc: Probable memory leak (when using document()?)

[Mattia Rizzolo]

On Thu, Feb 10, 2022 at 01:08:33PM +0100, Vincent Lefevre wrote:
> This is no different than CVE-2013-0338 and CVE-2013-0339[*]. The
> point is that from a small document, one can exhaust the memory
> of the machine. CVE-2013-0338 and CVE-2013-0339 are about entity
> expansion, but there are the same consequences with just loading
> data in memory.
> 
> [*] https://www.openwall.com/lists/oss-security/2013/02/22/3

If you believe so, and you confirmed that it hasn't been fixed in the
past 15 years, could you please either (or both):
 * report it to mitre's CVE form
 * report it in https://gitlab.gnome.org/GNOME/libxml2/-/issues
?

-- 
regards,
Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540  .''`.
More about me:  https://mapreri.org : :'  :
Launchpad user: https://launchpad.net/~mapreri  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-


signature.asc
Description: PGP signature

Bug#287371: [xml/sgml-pkgs] Bug#287371: xsltproc: Probable memory leak (when using document()?)

[Vincent Lefevre]

On 2004-12-31 14:15:42 +0900, Mike Hommey wrote:
 On Fri, Dec 31, 2004 at 02:40:54AM +0100, Vincent Lefevre [EMAIL PROTECTED] 
 wrote:
  On 2004-12-30 14:05:06 +0900, Mike Hommey wrote:
   Can you try with xsltproc from the experimental distribution? I know
   several memleaks have been fixed there and in libxml2.
  
  Unfortunately, there's no package for PowerPC yet.
 
 Can't you try to build it ?

I could try on an x86 machine where I've installed the experimental
libxml2 package (version 2.6.16-1). The problem is still there.

-- 
Vincent Lefèvre [EMAIL PROTECTED] - Web: http://www.vinc17.org/
100% accessible validated (X)HTML - Blog: http://www.vinc17.org/blog/
Work: CR INRIA - computer arithmetic / SPACES project at LORIA


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]