XML parser contains a use-after-free error triggered during the scanning of external DTDs. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable. External References: https://marc.info/?l=xerces-c-users&m=157653840106914&w=2
Created xerces-c tracking bugs for this issue: Affects: epel-6 [bug 1788474] Affects: epel-8 [bug 1788475] Affects: fedora-all [bug 1788473]
Mitigation: Disable DTD processing by setting the environment variable `XERCES_DISABLE_DTD=1`. Please note that this feature was introduced in xerces-c upstream version 3.1.4 and is not available in older versions. The versions of xerces-c as shipped with Red Hat Enterprise Linux 6 and 7 did not include this feature.
According to the disclosure report (https://issues.apache.org/jira/browse/XERCESC-2188), the SAX parser handles a stack of tokens to keep track of the different elements of an XML document. A DTDEntityDecl token is pushed on the stack when parsing the external DTD. Before being pushed, DTDEntityDecl is wrapped into a "Janitor" instance, whose goal is to automatically free the token's data later on. The flaw seems to be related to this "Janitor" mechanism, which releases the data while the token is at the top of the stack. The top element is subsequently referenced by another method (ReaderMgr::getLastExtEntityInfo) thus causing a use-after-free.
There is currently no upstream fix available for this flaw.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2020:0702 https://access.redhat.com/errata/RHSA-2020:0702
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:0704 https://access.redhat.com/errata/RHSA-2020:0704
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-1311
Hi, I'm investigating this issue as part of the Debian LTS team. Upstream notes (https://issues.apache.org/jira/browse/XERCESC-2188) that the current fix may leak memory, though this makes it a valid mitigation for the use-after-free. Would you like to comment on that?
Hi Sylvain, thanks for the link. Yes we're aware it appears to leak - the package is not widely used within RHEL (and is dropped in RHEL8) so we considered this a reasonable trade-off.