Bug 1199103 (CVE-2015-0252) - CVE-2015-0252 xerces-c: crashes on malformed input
Summary: CVE-2015-0252 xerces-c: crashes on malformed input
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-0252
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20150320,repor...
Depends On: 1204021 1204018 1204019 1204020 1217104 1217105
Blocks: 1199109
TreeView+ depends on / blocked
 
Reported: 2015-03-05 13:21 UTC by Vasyl Kaigorodov
Modified: 2019-07-11 08:44 UTC (History)
34 users (show)

Fixed In Version: xerces-c 3.1.2
Doc Type: Bug Fix
Doc Text:
A flaw was found in the way the Xerces-C XML parser processed certain XML documents. A remote attacker could provide specially crafted XML input that, when parsed by an application using Xerces-C, would cause that application to crash.
Clone Of:
Environment:
Last Closed: 2015-06-30 07:21:35 UTC


Attachments (Terms of Use)
XMLReader.cpp.patch (2.14 KB, text/plain)
2015-03-05 13:23 UTC, Vasyl Kaigorodov
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1193 normal SHIPPED_LIVE Moderate: xerces-c security update 2015-06-29 20:11:03 UTC

Description Vasyl Kaigorodov 2015-03-05 13:21:33 UTC
The Xerces-C XML parser mishandles certain kinds of malformed input documents, resulting in a segmentation fault during a parse operation. The bug does not appear to allow for remote code execution, but is a denial of service attack that in many applications may allow for an unauthenticated attacker to supply malformed input and cause a crash.

Suggested upstream patch is attached to this Bugzilla.

Comment 1 Vasyl Kaigorodov 2015-03-05 13:23:35 UTC
Created attachment 998360 [details]
XMLReader.cpp.patch

Comment 2 Kurt Seifried 2015-03-20 04:06:34 UTC
This is now public: http://seclists.org/oss-sec/2015/q1/892

Comment 4 Tomas Hoger 2015-03-20 07:39:00 UTC
Created mingw-xerces-c tracking bugs for this issue:

Affects: fedora-all [bug 1204019]

Comment 5 Tomas Hoger 2015-03-20 07:39:04 UTC
Created xerces-c tracking bugs for this issue:

Affects: fedora-all [bug 1204018]
Affects: epel-6 [bug 1204021]

Comment 6 Tomas Hoger 2015-03-20 07:39:08 UTC
Created xerces-c27 tracking bugs for this issue:

Affects: fedora-all [bug 1204020]

Comment 7 Fedora Update System 2015-03-26 21:30:19 UTC
xerces-c-3.1.2-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2015-03-26 21:49:21 UTC
mingw-xerces-c-3.1.2-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2015-03-30 07:00:12 UTC
xerces-c-3.1.1-8.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2015-03-30 07:08:08 UTC
mingw-xerces-c-3.1.1-9.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2015-03-30 07:09:50 UTC
mingw-xerces-c-3.1.1-11.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2015-03-30 07:10:58 UTC
xerces-c-3.1.1-6.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Jarno Huuskonen 2015-04-13 06:23:48 UTC
Does CVE-2015-0252 affect xerces-c-3.1.1-6.el7.x86_64 that comes with "Red Hat Enterprise Linux Server release 7.1 (Maipo)" ?

On RHEL7 shibboleth sp (http://shibboleth.net/products/service-provider.html) uses xerces-c. Fix for CVE-2015-0252 is important because shibboleth sp has DoS vulnerability: https://shibboleth.net/community/advisories/secadv_20150319.txt

Comment 16 Ján Rusnačko 2015-04-14 08:10:22 UTC
(In reply to Jarno Huuskonen from comment #15)
> Does CVE-2015-0252 affect xerces-c-3.1.1-6.el7.x86_64 that comes with "Red
> Hat Enterprise Linux Server release 7.1 (Maipo)" ?
> 
> On RHEL7 shibboleth sp
> (http://shibboleth.net/products/service-provider.html) uses xerces-c. Fix
> for CVE-2015-0252 is important because shibboleth sp has DoS vulnerability:
> https://shibboleth.net/community/advisories/secadv_20150319.txt

Upstream states versions prior to 3.1.2 are affected, and RHEL 7.1 version is affected, too.

Comment 20 Scott Cantor 2015-05-14 17:07:50 UTC
Is there any kind of timeline on this? My community is left hanging, and it's been an unacceptably long period of time to leave a bug this serious unpatched.

I did a lot of work to get this fix out there from upstream, when that project was essentially dead, and this isn't really making me feel like it was worth my time.

Comment 21 errata-xmlrpc 2015-06-29 16:12:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1193 https://rhn.redhat.com/errata/RHSA-2015-1193.html

Comment 23 Ján Rusnačko 2015-06-30 07:31:24 UTC
Hello Scott,

I apologize for the delay - this has been handled unusually long. This issue has been stalled three times in various stages of our process due to extraordinary complications. I am going to do a postmortem now and make sure these are documented and addressed in the future.

Thank you !

Comment 24 Scott Cantor 2015-06-30 13:48:12 UTC
Thank you for getting the fix out, and for responding. I'm glad that at least this wasn't a routine situation.


Note You need to log in before you can comment on or make changes to this bug.