Bug 1752592 (CVE-2019-15903)

Summary: CVE-2019-15903 expat: heap-based buffer over-read via crafted XML input
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: asoldano, atangrin, bbaranow, bmaxwell, brian.stansberry, caillon, cdewolf, chazlett, cschalle, csutherl, darran.lofthouse, dosoudil, erik-fedora, gecko-bugs-nobody, gzaronik, iweiss, jawilson, jclere, jdoyle, jhorak, jorton, jperkins, jwon, krathod, kwills, lgao, mbabacek, msochure, msvehla, mturk, myarboro, nwallace, pjindal, pmackay, pslavice, psotirop, rcritten, rguimara, rh-spice-bugs, rjones, rsvoboda, smaestri, sonu.khan, stransky, tom.jenkinson, twalsh, weli
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: expat 2.2.8, firefox 68.2, thunderbird 68.2 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-05 16:31:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1752596, 1752597, 1752598, 1763559, 1763561, 1764937, 1764938, 1764939, 1764940, 1764941, 1764942, 1814367, 1814368, 1814369    
Bug Blocks: 1752593    

Description Dhananjay Arunesh 2019-09-16 17:52:41 UTC 
In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.

Reference:
https://github.com/libexpat/libexpat/commit/c20b758c332d9a13afbbb276d30db1d183a85d43
https://github.com/libexpat/libexpat/issues/317
https://github.com/libexpat/libexpat/issues/342
https://github.com/libexpat/libexpat/pull/318
Comment 1 Dhananjay Arunesh 2019-09-16 17:59:54 UTC 
Created expat tracking bugs for this issue:

Affects: fedora-all [bug 1752596]


Created mingw-expat tracking bugs for this issue:

Affects: fedora-all [bug 1752597]
Comment 2 Dhananjay Arunesh 2019-09-16 18:01:33 UTC 
Created mingw-expat tracking bugs for this issue:

Affects: epel-7 [bug 1752598]
Comment 4 errata-xmlrpc 2019-10-29 09:49:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:3210 https://access.redhat.com/errata/RHSA-2019:3210
Comment 5 Product Security DevOps Team 2019-10-29 12:51:13 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-15903
Comment 6 errata-xmlrpc 2019-10-29 13:46:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3237 https://access.redhat.com/errata/RHSA-2019:3237
Comment 7 Product Security DevOps Team 2019-10-29 18:51:18 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-15903
Comment 8 errata-xmlrpc 2019-11-06 17:07:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2019:3756 https://access.redhat.com/errata/RHSA-2019:3756
Comment 9 Kunjan Rathod 2019-11-14 23:07:25 UTC 
This vulnerability is out of security support scope for the following products:
 * Red Hat Enterprise Application Platform 6
 * Red Hat JBoss Enterprise Web Server 2



Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 10 Sonu Khan 2020-01-28 13:13:09 UTC 
Is there any plan to provide a patch for expat in RHEL7?
Is it possible to use thunderbird patch for expat since both packages are affected and the ticket is closed by providing fir for thunderbird only.
Also any mitigation steps.
Comment 11 Product Security DevOps Team 2020-03-05 16:31:50 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-15903
Comment 12 Stefan Cornelius 2020-03-17 17:33:46 UTC 
Mitigation:

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Comment 16 errata-xmlrpc 2020-06-22 12:26:39 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 6
  JBoss Core Services on RHEL 7

Via RHSA-2020:2644 https://access.redhat.com/errata/RHSA-2020:2644
Comment 17 errata-xmlrpc 2020-06-22 13:08:44 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2020:2646 https://access.redhat.com/errata/RHSA-2020:2646
Comment 18 errata-xmlrpc 2020-09-29 20:04:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:3952 https://access.redhat.com/errata/RHSA-2020:3952
Comment 19 errata-xmlrpc 2020-11-04 01:23:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4484 https://access.redhat.com/errata/RHSA-2020:4484