StringEqual in TiXmlDeclaration::Parse in tinyxmlparser.cpp in TinyXML through 2.6.2 has a reachable assertion (and application exit) via a crafted XML document with a '\0' located after whitespace. https://sourceforge.net/p/tinyxml/git/ci/master/tree/tinyxmlparser.cpp https://www.forescout.com/resources/sierra21-vulnerabilities
This appears to be specific to tinyxml, which is no longer maintained. Tinyxml2 does not appear to be affected. Per the Forescout report: TinyXML has not been maintained for nearly a decade. The project already had one public vulnerability without a known fix prior to this research (CVE-2021-42260, details in 9.4), and now there are two new issues which we found and that will not be fixed either. Using open-source intelligence (OSINT) – mainly searching for product documentation mentioning the TinyXML license – we were able to identify over 30 different products that still use TinyXML. Most of those are either other open-source projects or security software, but there are also several automotive infotainment systems, building automation devices and other IoT. It is difficult to know if and how any of these products could be vulnerable since XML parsing is not always directly accessible by an attacker. However, the proliferation of abandoned projects raises questions about how device vendors can respond to new vulnerabilities.
Created tinyxml tracking bugs for this issue: Affects: epel-all [bug 2254380] Affects: fedora-all [bug 2254381]