Bug 1788472 (CVE-2018-1311) - CVE-2018-1311 xerces-c: XML parser contains a use-after-free error triggered during the scanning of external DTDs
Summary: CVE-2018-1311 xerces-c: XML parser contains a use-after-free error triggered ...
Keywords:
Status: NEW
Alias: CVE-2018-1311
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1788473 1788474 1788475 1791246 1791247 1791248
Blocks: 1788481
TreeView+ depends on / blocked
 
Reported: 2020-01-07 10:14 UTC by Marian Rehak
Modified: 2020-01-15 10:25 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free vulnerability was found in xerces-c in the way an XML document is processed via the SAX API. Applications that process XML documents with an external Document Type Definition (DTD) may be vulnerable to this flaw. A remote attacker could exploit this flaw by creating a specially crafted XML file that would crash the application or potentially lead to arbitrary code execution.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Marian Rehak 2020-01-07 10:14:58 UTC
XML parser contains a use-after-free error triggered during the scanning of external DTDs. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable.

External References:

https://marc.info/?l=xerces-c-users&m=157653840106914&w=2

Comment 1 Marian Rehak 2020-01-07 10:15:56 UTC
Created xerces-c tracking bugs for this issue:

Affects: epel-6 [bug 1788474]
Affects: epel-8 [bug 1788475]
Affects: fedora-all [bug 1788473]

Comment 3 Mauro Matteo Cascella 2020-01-13 10:35:06 UTC
Mitigation:

Disable DTD processing by setting the environment variable `XERCES_DISABLE_DTD=1`. Please note that this feature was introduced in xerces-c upstream version 3.1.4 and is not available in older versions. The versions of xerces-c as shipped with Red Hat Enterprise Linux 6 and 7 did not include this feature.

Comment 4 Mauro Matteo Cascella 2020-01-14 17:18:28 UTC
According to the disclosure report (https://issues.apache.org/jira/browse/XERCESC-2188), the SAX parser handles a stack of tokens to keep track of the different elements of an XML document. A DTDEntityDecl token is pushed on the stack when parsing the external DTD. Before being pushed, DTDEntityDecl is wrapped into a "Janitor" instance, whose goal is to automatically free the token's data later on.

The flaw seems to be related to this "Janitor" mechanism, which releases the data while the token is at the top of the stack. The top element is subsequently referenced by another method (ReaderMgr::getLastExtEntityInfo) thus causing a use-after-free.

Comment 5 Mauro Matteo Cascella 2020-01-14 17:18:49 UTC
There is currently no upstream fix available for this flaw.


Note You need to log in before you can comment on or make changes to this bug.