Bug 801648 (CVE-2012-1148)
| Summary: | CVE-2012-1148 expat: Memory leak in poolGrow | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Kurt Seifried <kseifried> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | acathrow, alee, apevec, bbaranow, bmaxwell, bmcclain, bsettle, ccoleman, cdewolf, cfergeau, cfu, chazlett, cpelland, csutherl, dandread, darran.lofthouse, dblechte, dmcphers, dosoudil, dpal, erik-fedora, gzaronik, idith, jason.greene, jawilson, jboss-set, jclere, jdoyle, jgalipea, jialiu, jmagne, jorton, lgao, lmeyer, lsurette, mbabacek, mburns, mharmsen, michal.skrivanek, mizdebsk, mmcgrath, mnewsome, mturk, myarboro, pgier, psakar, pslavice, rh-spice-bugs, rjones, rmeggins, rnetuka, rsvoboda, seceng-idm-qe-list, slong, srevivo, twalsh, uril, vtunka, weli, ykaul |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| See Also: |
https://issues.redhat.com/browse/JBCS-50 https://issues.redhat.com/browse/JWS-221 |
||
| Whiteboard: | |||
| Fixed In Version: | expat 2.1.0 | Doc Type: | Bug Fix |
| Doc Text: |
A memory leak flaw was found in Expat. If an XML file processed by an application linked against Expat triggered a memory re-allocation failure, Expat failed to free the previously allocated memory. This could cause the application to exit unexpectedly or crash when all available memory is exhausted.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-10 10:58:21 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 811830, 811831, 811832, 811833, 811834, 811835, 811836, 811837, 982563, 982566, 1200324, 1200326, 1238182, 1351488 | ||
| Bug Blocks: | 801654, 1286624, 1395463 | ||
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Via RHSA-2012:0731 https://rhn.redhat.com/errata/RHSA-2012-0731.html Created compat-expat1 tracking bugs for this issue: Affects: fedora-all [bug 982563] Upstream bug: http://sourceforge.net/p/expat/bugs/2958794/ Upstream commit: http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?view=log#rev1.167 This issue has been addressed in the following products: JBoss Web Server 2.1.0 Via RHSA-2016:0062 https://rhn.redhat.com/errata/RHSA-2016-0062.html This issue has been addressed in the following products: Via RHSA-2016:2957 https://rhn.redhat.com/errata/RHSA-2016-2957.html |
Tim Boddy reported a memory leak in poolGrow [1] This bug applies at least to 1.95.8, 2.0.0 and 2.0.1 poolGrow in xml.parse.cpp has the following block of code: if (pool->blocks && pool->start == pool->blocks->s) { int blockSize = (int)(pool->end - pool->start)*2; pool->blocks = (BLOCK *) pool->mem->realloc_fcn(pool->blocks, (offsetof(BLOCK, s) + blockSize * sizeof(XML_Char))); if (pool->blocks == NULL) return XML_FALSE; pool->blocks->size = blockSize; pool->ptr = pool->blocks->s + (pool->ptr - pool->start); pool->start = pool->blocks->s; pool->end = pool->start + blockSize; } It looks like this will cause a memory leak if realloc_fcn returns NULL because pool->blocks will be overwritten but the old memory area to which it pointed won't be freed. The other places where reallocation is done in this file (via the REALLOC macro) don't have this bug because they correctly store the result in a temporary variable. This bug allows a serious DOS attack on a server that accepts XML-based requests if a request is seen of the following form: <!DOCTYPE foo [ <!ENTITY a "1234567890" > <!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;" > <!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;" > <!ENTITY d "&c;&c;&c;&c;&c;&c;&c;&c;" > <!ENTITY e "&d;&d;&d;&d;&d;&d;&d;&d;" > <!ENTITY f "&e;&e;&e;&e;&e;&e;&e;&e;" > <!ENTITY g "&f;&f;&f;&f;&f;&f;&f;&f;" > <!ENTITY h "&g;&g;&g;&g;&g;&g;&g;&g;" > <!ENTITY i "&h;&h;&h;&h;&h;&h;&h;&h;" > <!ENTITY j "&i;&i;&i;&i;&i;&i;&i;&i;" > <!ENTITY k "&j;&j;&j;&j;&j;&j;&j;&j;" > <!ENTITY l "&k;&k;&k;&k;&k;&k;&k;&k;" > <!ENTITY m "&l;&l;&l;&l;&l;&l;&l;&l;" > <!ENTITY n "&m;&m;&m;&m;&m;&m;&m;&m;" > ]> <foo bar="&n;"/> When the attribute is expanded, the realloc (assuming that it bounds the size of the request) will fail, leaking the buffer from before the realloc. [1] http://mail.python.org/pipermail/expat-bugs/2010-February/002870.html http://sourceforge.net/tracker/?func=detail&atid=110127&aid=2958794&group_id=10127