Bug 1348845 – CVE-2016-4463 xerces-c: Stack overflow when parsing deeply nested DTD

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1348845 - (CVE-2016-4463) CVE-2016-4463 xerces-c: Stack overflow when parsing deeply nested DTD

Summary:	CVE-2016-4463 xerces-c: Stack overflow when parsing deeply nested DTD

Status:	NEW

Aliases:	CVE-2016-4463

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20160629,repor...
Keywords:	Reopened, Security

Depends On:	1351469 1631343 1631344 1351467 1351468 1534481 1534482
Blocks:	1348850
	Show dependency tree / graph

Reported:	2016-06-22 04:21 EDT by Adam Mariš
Modified:	2018-10-30 04:00 EDT (History)
CC List:	21 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A stack exhaustion flaw was found in the way Xerces-C XML parser handled deeply nested DTDs. An attacker could potentially use this flaw to crash an application using Xerces-C by tricking it into processing specially crafted data.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2016-07-11 01:26:48 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2018:3335	None	None	None	2018-10-30 04:00 EDT

Groups: None (edit)

Description Adam Mariš 2016-06-22 04:21:05 EDT

The Xerces-C XML parser fails to successfully parse a DTD that is deeply nested, and this causes a stack overflow, which makes a denial of service attack against many applications possible by an unauthenticated attacker.

Upstream patch:

http://svn.apache.org/viewvc?view=revision&revision=1747619

Upstream bugs:

https://issues.apache.org/jira/browse/XERCESC-2066
https://issues.apache.org/jira/browse/XERCESC-2069

In addition, a related enhancement was made to enable applications to fully disable DTD processing through the use of an environment variable.

http://svn.apache.org/viewvc?view=revision&revision=1747620

External References:

http://xerces.apache.org/xerces-c/secadv/CVE-2016-4463.txt

Comment 1 Andrej Nemec 2016-06-30 03:17:46 EDT

Created mingw-xerces-c tracking bugs for this issue:

Affects: fedora-all [bug 1351468]

Comment 2 Andrej Nemec 2016-06-30 03:17:56 EDT

Created xerces-c tracking bugs for this issue:

Affects: fedora-all [bug 1351467]

Comment 3 Andrej Nemec 2016-06-30 03:18:04 EDT

Created xerces-c27 tracking bugs for this issue:

Affects: fedora-all [bug 1351469]

Comment 4 Andrej Nemec 2016-06-30 03:18:49 EDT

Public via:

http://seclists.org/oss-sec/2016/q2/625

Comment 5 Fedora Update System 2016-07-02 11:23:28 EDT

xerces-c-3.1.4-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2016-07-05 00:57:33 EDT

mingw-xerces-c-3.1.4-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2016-07-06 01:50:53 EDT

mingw-xerces-c-3.1.4-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2016-07-06 01:51:42 EDT

xerces-c-3.1.4-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2016-07-06 01:54:19 EDT

mingw-xerces-c-3.1.4-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2016-07-06 01:55:00 EDT

xerces-c-3.1.4-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 14 Dhiru Kholia 2018-01-10 11:32:35 EST

Statement:

Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/ and Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Comment 28 errata-xmlrpc 2018-10-30 03:59:49 EDT

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3335 https://access.redhat.com/errata/RHSA-2018:3335

Note You need to log in before you can comment on or make changes to this bug.

abhgupta
ableisch
anemec
avagarwa
bhu
dmcphers
esammons
iboverma
jialiu
jokerman
jross
lmeyer
matt
mcressma
mmccomas
mthacker
rrajasek
sardella
security-response-team
tiwillia
williams