XML parser contains a use-after-free error triggered during the scanning of external DTDs. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable.
Created xerces-c tracking bugs for this issue:
Affects: epel-6 [bug 1788474]
Affects: epel-8 [bug 1788475]
Affects: fedora-all [bug 1788473]
Disable DTD processing by setting the environment variable `XERCES_DISABLE_DTD=1`. Please note that this feature was introduced in xerces-c upstream version 3.1.4 and is not available in older versions. The versions of xerces-c as shipped with Red Hat Enterprise Linux 6 and 7 did not include this feature.
According to the disclosure report (https://issues.apache.org/jira/browse/XERCESC-2188), the SAX parser handles a stack of tokens to keep track of the different elements of an XML document. A DTDEntityDecl token is pushed on the stack when parsing the external DTD. Before being pushed, DTDEntityDecl is wrapped into a "Janitor" instance, whose goal is to automatically free the token's data later on.
The flaw seems to be related to this "Janitor" mechanism, which releases the data while the token is at the top of the stack. The top element is subsequently referenced by another method (ReaderMgr::getLastExtEntityInfo) thus causing a use-after-free.
There is currently no upstream fix available for this flaw.