Bug 1788472 (CVE-2018-1311)

Summary: CVE-2018-1311 xerces-c: XML parser contains a use-after-free error triggered during the scanning of external DTDs
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: antti.andreimann, beuc, bnater, cperry, esammons, gblomqui, jorton, jross, klember, mcascell, mcressma, rrajasek, security-response-team, volker27, walter.pete, xavier
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A use-after-free vulnerability was found in xerces-c in the way an XML document is processed via the SAX API. Applications that process XML documents with an external Document Type Definition (DTD) may be vulnerable to this flaw. A remote attacker could exploit this flaw by creating a specially crafted XML file that would crash the application or potentially lead to arbitrary code execution.
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-04 16:31:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1788473, 1788474, 1788475, 1791246, 1791247, 1791248    
Bug Blocks: 1788481    

Description Marian Rehak 2020-01-07 10:14:58 UTC
XML parser contains a use-after-free error triggered during the scanning of external DTDs. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable.

External References:

https://marc.info/?l=xerces-c-users&m=157653840106914&w=2

Comment 1 Marian Rehak 2020-01-07 10:15:56 UTC
Created xerces-c tracking bugs for this issue:

Affects: epel-6 [bug 1788474]
Affects: epel-8 [bug 1788475]
Affects: fedora-all [bug 1788473]

Comment 3 Mauro Matteo Cascella 2020-01-13 10:35:06 UTC
Mitigation:

Disable DTD processing by setting the environment variable `XERCES_DISABLE_DTD=1`. Please note that this feature was introduced in xerces-c upstream version 3.1.4 and is not available in older versions. The versions of xerces-c as shipped with Red Hat Enterprise Linux 6 and 7 did not include this feature.

Comment 4 Mauro Matteo Cascella 2020-01-14 17:18:28 UTC
According to the disclosure report (https://issues.apache.org/jira/browse/XERCESC-2188), the SAX parser handles a stack of tokens to keep track of the different elements of an XML document. A DTDEntityDecl token is pushed on the stack when parsing the external DTD. Before being pushed, DTDEntityDecl is wrapped into a "Janitor" instance, whose goal is to automatically free the token's data later on.

The flaw seems to be related to this "Janitor" mechanism, which releases the data while the token is at the top of the stack. The top element is subsequently referenced by another method (ReaderMgr::getLastExtEntityInfo) thus causing a use-after-free.

Comment 5 Mauro Matteo Cascella 2020-01-14 17:18:49 UTC
There is currently no upstream fix available for this flaw.

Comment 18 errata-xmlrpc 2020-03-04 12:24:54 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:0702 https://access.redhat.com/errata/RHSA-2020:0702

Comment 19 errata-xmlrpc 2020-03-04 15:15:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0704 https://access.redhat.com/errata/RHSA-2020:0704

Comment 20 Product Security DevOps Team 2020-03-04 16:31:40 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-1311

Comment 21 Product Security DevOps Team 2020-03-04 22:31:41 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-1311

Comment 22 Sylvain Beucler 2020-03-12 15:08:26 UTC
Hi,

I'm investigating this issue as part of the Debian LTS team.
Upstream notes (https://issues.apache.org/jira/browse/XERCESC-2188) that the current fix may leak memory, though this makes it a valid mitigation for the use-after-free.
Would you like to comment on that?

Comment 23 Joe Orton 2020-03-12 15:42:27 UTC
Hi Sylvain, thanks for the link.

Yes we're aware it appears to leak - the package is not widely used within RHEL (and is dropped in RHEL8) so we considered this a reasonable trade-off.