Bug 2254376 (CVE-2023-34194)

Summary: CVE-2023-34194 tinyxml: reachable assertion may lead to denial of service
Product: [Other] Security Response Reporter: Robb Gatica <rgatica>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was discovered in the tinyxml package. A local attacker may use a specially-crafted XML document to trigger an assert statement, which can lead to a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2254380, 2254381    
Bug Blocks:    

Description Robb Gatica 2023-12-13 16:47:37 UTC 
StringEqual in TiXmlDeclaration::Parse in tinyxmlparser.cpp in TinyXML through 2.6.2 has a reachable assertion (and application exit) via a crafted XML document with a '\0' located after whitespace.

https://sourceforge.net/p/tinyxml/git/ci/master/tree/tinyxmlparser.cpp
https://www.forescout.com/resources/sierra21-vulnerabilities
Comment 1 Robb Gatica 2023-12-13 16:52:03 UTC 
This appears to be specific to tinyxml, which is no longer maintained. Tinyxml2 does not appear to be affected. 

Per the Forescout report:

TinyXML has not been maintained for nearly a decade. The project already had one public vulnerability without a known fix prior to this research (CVE-2021-42260, details in 9.4), and now there are two new issues which we found and that will not be fixed either. Using open-source intelligence (OSINT) – mainly searching for product documentation mentioning the TinyXML license – we were able to identify over 30 different products that still use TinyXML. Most of those are either other open-source projects or security software, but there are also several automotive infotainment systems, building automation devices and other IoT. It is difficult to know if and how any of these products could be vulnerable since XML parsing is not always directly accessible by an attacker. However, the proliferation of abandoned projects raises questions about how device vendors can respond to new vulnerabilities.
Comment 2 Robb Gatica 2023-12-13 16:52:46 UTC 
Created tinyxml tracking bugs for this issue:

Affects: epel-all [bug 2254380]
Affects: fedora-all [bug 2254381]