Bug 1551525 (CVE-2017-12627)

Summary: CVE-2017-12627 xerces-c: Null pointer dereference while processing the path to DTD allows denial of service
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: antti.andreimann, bhu, erik-fedora, iboverma, jross, klember, mcressma, rrajasek, volker27, williams, xavier
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: xerces-c 3.2.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-21 19:55:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1551526, 1551527, 1551528, 1551529, 1551530, 1552420, 1552421    
Bug Blocks: 1551531    

Description Adam Mariš 2018-03-05 10:56:34 UTC 
The Xerces-C XML parser mishandles certain kinds of external DTD references, resulting in dereference of a NULL pointer while processing the path to the DTD. The bug allows for a denial of service attack in applications that allow DTD processing and do not prevent external DTD usage, and could conceivably result in remote code execution.

Upstream patch:

https://svn.apache.org/viewvc?view=revision&revision=1819998

External References:

https://xerces.apache.org/xerces-c/secadv/CVE-2017-12627.txt
Comment 1 Adam Mariš 2018-03-05 10:56:50 UTC 
Created xerces-c tracking bugs for this issue:

Affects: fedora-all [bug 1551527]


Created xerces-c27 tracking bugs for this issue:

Affects: fedora-all [bug 1551526]


Created mingw-xerces-c tracking bugs for this issue:

Affects: fedora-all [bug 1551528]


Created xerces-c tracking bugs for this issue:

Affects: epel-6 [bug 1551530]
Comment 4 Doran Moppert 2018-03-07 01:58:40 UTC 
Statement:

Red Hat Enterprise MRG and MRG-Messaging are currently in Maintenance phase. This issue has been rated as having Moderate security impact, and is not currently planned to be addressed in future releases of MRG or MRG-Messaging.  For more information, refer to the Issue Severity Classification and the Life Cycle and Update Policies:

https://access.redhat.com/security/updates/classification
https://access.redhat.com/support/policy/update_policies/
Comment 5 Doran Moppert 2018-03-07 01:58:49 UTC 
Mitigation:

Applications should strongly consider blocking remote entity resolution and/or outright disabling of DTD processing in light of the continued identification of bugs in this area of the library.