Bug 515515 (CVE-2009-1885)

Summary: CVE-2009-1885 xerces-c, xerces-c27: Stack overflow when parsing recursive XML structures
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bressers, gsim, jrusnack, juhani.eronen, mrg-program-list, security-response-team
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://svn.apache.org/viewvc?view=rev&revision=781488
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-12-01 04:10:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Lieskovsky 2009-08-04 15:26:39 UTC 
A stack overflow flaw was found in Apache Xerces by parsing root XML document
element DTD definition. Providing a specially-crafted XML file would
lead to excessive stack growth and denial of service (crash), when
opened by a victim.

Upstream patch:
---------------
http://svn.apache.org/viewvc/xerces/c/trunk/src/xercesc/validators/DTD/DTDScanner.cpp?r1=781488&r2=781487&pathrev=781488&view=patch

Credit:
-------
The flaw was discovered by Jukka Taimisto and Rauli Kaksonen from the
CROSS project at Codenomicon Ltd.
Comment 2 Jan Lieskovsky 2009-08-04 15:51:33 UTC 
This issue affects the versions of the xerces-c and xerces-c27 packages,
as shipped with Fedora releases of 10 and 11.

This issue affects the versions of the xerces-c package,
as shipped within the Extra Packages for Enterprise Linux 4 (EPEL-4)
and Extra Packages for Enterprise Linux 5 (EPEL-5) projects.

Please fix.
Comment 4 Jan Lieskovsky 2009-08-06 12:01:50 UTC 
Public now via:

    http://www.cert.fi/en/reports/2009/vulnerability2009085.html
Comment 5 Fedora Update System 2009-08-06 14:24:46 UTC 
xerces-c-2.8.0-5.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/xerces-c-2.8.0-5.fc10
Comment 6 Fedora Update System 2009-08-06 14:24:54 UTC 
xerces-c-2.8.0-5.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/xerces-c-2.8.0-5.fc11
Comment 7 Fedora Update System 2009-08-06 14:56:56 UTC 
xerces-c27-2.7.0-8.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/xerces-c27-2.7.0-8.fc11
Comment 8 Fedora Update System 2009-08-06 14:57:04 UTC 
xerces-c27-2.7.0-8.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/xerces-c27-2.7.0-8.fc10
Comment 9 Fedora Update System 2009-08-06 14:57:12 UTC 
xerces-c-2.7.0-8.el4 has been submitted as an update for Fedora EPEL 4.
http://admin.fedoraproject.org/updates/xerces-c-2.7.0-8.el4
Comment 10 Fedora Update System 2009-08-06 14:57:20 UTC 
xerces-c-2.7.0-8.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/xerces-c-2.7.0-8.el5
Comment 13 Jan Lieskovsky 2009-08-07 11:52:17 UTC 
This issue affects the versions of Xerces-c package, as shipped
with Red Hat Enterprise MRG 1.1 for Red Hat Enterprise Linux 4
and Red Hat Enterprise Linux 5.
Comment 14 Jan Lieskovsky 2009-08-07 11:54:09 UTC 
Official statement from Red Hat Security Response Team regarding this issue:
----------------------------------------------------------------------------

The Red Hat Security Response Team has rated this issue as having low security
impact, a future Xerces-c package update may address this flaw in Red Hat
Enterprise MRG 1.1. More information regarding issue severity can be found here:
http://www.redhat.com/security/updates/classification/
Comment 15 Fedora Update System 2009-08-25 04:25:15 UTC 
xerces-c27-2.7.0-8.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2009-08-25 04:40:45 UTC 
xerces-c-2.8.0-5.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Fedora Update System 2009-08-25 04:41:05 UTC 
xerces-c27-2.7.0-8.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2009-08-25 04:47:29 UTC 
xerces-c-2.8.0-5.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2009-09-01 20:27:40 UTC 
xerces-c-2.7.0-8.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 20 Fedora Update System 2009-09-01 20:27:58 UTC 
xerces-c-2.7.0-8.el4 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 21 Peter Lemenkov 2009-09-25 13:20:43 UTC 
Should be closed now, I suppose.
Comment 22 Tomas Hoger 2009-09-28 11:44:26 UTC 
We actually do want to keep this open for bit longer, as xerces-c is shipped as part of some products, but due to the impact of the flaw itself and impact on particular product, updates are not expected to go out immediately.  So I will re-open, feel free to un-CC yourself, as all you care about is fixed by now.

Thank you!
Comment 23 Peter Lemenkov 2009-09-28 11:59:49 UTC 
Ok, understood.
Feel free to do everything you need with this ticket :)
Comment 24 Kurt Seifried 2014-12-01 04:10:37 UTC 
Statement:

Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.