CVE-2023-29469: Non-Deterministic Hashing Vulnerability in libxml2 Before 2.10.4 Causes Logic and Memory Errors

A security vulnerability has been identified in libxml2 before version 2.10.4, which affects the way empty dict strings are hashed in XML documents. Specifically, the issue is present in the xmlDictComputeFastKey function in the dict.c source file. This function, when encountering empty dict strings, can produce non-deterministic values, leading to various logic and memory errors, such as a double free. The root cause of this behavior is the attempt to use the first byte of an empty string, which can have any possible value, not strictly the '\' value.

Exploit Details

The vulnerability is located in the xmlDictComputeFastKey function, which is responsible for computing the hash value of a dictionary string. The following is a snippet of the problematic code:

unsigned long
xmlDictComputeFastKey(const xmlChar *name) {
    unsigned long value = ;

    if (name == NULL)
	    return();

    value = *name++;
    if (value) {
	    value = value * 9 + *name;
    }
    return(value);
}

As can be seen in the code above, if the name parameter is non-null, the function proceeds to use the first byte of the string as the initial value. However, if the string is empty, the first byte could be any value, which leads to non-deterministic behavior in the computation of hash values.

To successfully exploit this vulnerability, an attacker would need to craft a malicious XML document containing empty dict strings, which would force the xmlDictComputeFastKey function into an unstable state producing improper hash values. Consequently, this could lead to various logic errors and memory issues, such as double freeing of memory.

Original References

1. CVE-2023-29469 - NVD Detail - Official vulnerability report in NVD database.
2. libxml2 Git Commit Fixing the Vulnerability - The commit with the patch in the official libxml2 repository.

Solution

The issue has been addressed in libxml2 version 2.10.4 and later. It is strongly recommended to update your version of libxml2 to the latest stable release to mitigate this vulnerability. The following is the corrected code snippet in the patched version:

unsigned long
xmlDictComputeFastKey(const xmlChar *name) {
    unsigned long value = ;

    if ((name == NULL) || (*name == ))
	    return();

    value = *name++;
    if (value) {
	    value = value * 9 + *name;
    }
    return(value);
}

As can be seen, the code now checks whether *name is equal to the null character, in addition to checking whether name itself is NULL. This ensures that empty strings are handled correctly and do not result in non-deterministic hash values.

In conclusion, CVE-2023-29469 is a critical vulnerability that affects the security and robustness of XML document processing in libxml2 before version 2.10.4. Updating to the latest version of libxml2 or applying the provided patch is essential to prevent potential exploitation of this vulnerability in your systems.

Timeline

Published on: 04/24/2023 21:15:00 UTC
Last modified on: 05/04/2023 16:06:00 UTC