Bug 1788472 (CVE-2018-1311) - CVE-2018-1311 xerces-c: XML parser contains a use-after-free error triggered during the scanning of external DTDs
Summary: CVE-2018-1311 xerces-c: XML parser contains a use-after-free error triggered ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-1311
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1788473 1788474 1788475 1791246 1791247 1791248
Blocks: 1788481
TreeView+ depends on / blocked
 
Reported: 2020-01-07 10:14 UTC by Marian Rehak
Modified: 2024-02-16 17:52 UTC (History)
16 users (show)

Fixed In Version: xerces-c 3.2.3, xerces-c 3.2.4
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free vulnerability was found in xerces-c in the way an XML document is processed via the SAX API. Applications that process XML documents with an external Document Type Definition (DTD) may be vulnerable to this flaw. A remote attacker could exploit this flaw by creating a specially crafted XML file that would crash the application or potentially lead to arbitrary code execution.
Clone Of:
Environment:
Last Closed: 2020-03-04 16:31:40 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:0702 0 None None None 2020-03-04 12:24:58 UTC
Red Hat Product Errata RHSA-2020:0704 0 None None None 2020-03-04 15:15:17 UTC

Description Marian Rehak 2020-01-07 10:14:58 UTC
XML parser contains a use-after-free error triggered during the scanning of external DTDs. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable.

External References:

https://marc.info/?l=xerces-c-users&m=157653840106914&w=2

Comment 1 Marian Rehak 2020-01-07 10:15:56 UTC
Created xerces-c tracking bugs for this issue:

Affects: epel-6 [bug 1788474]
Affects: epel-8 [bug 1788475]
Affects: fedora-all [bug 1788473]

Comment 3 Mauro Matteo Cascella 2020-01-13 10:35:06 UTC
Mitigation:

Disable DTD processing by setting the environment variable `XERCES_DISABLE_DTD=1`. Please note that this feature was introduced in xerces-c upstream version 3.1.4 and is not available in older versions. The versions of xerces-c as shipped with Red Hat Enterprise Linux 6 and 7 did not include this feature.

Comment 4 Mauro Matteo Cascella 2020-01-14 17:18:28 UTC
According to the disclosure report (https://issues.apache.org/jira/browse/XERCESC-2188), the SAX parser handles a stack of tokens to keep track of the different elements of an XML document. A DTDEntityDecl token is pushed on the stack when parsing the external DTD. Before being pushed, DTDEntityDecl is wrapped into a "Janitor" instance, whose goal is to automatically free the token's data later on.

The flaw seems to be related to this "Janitor" mechanism, which releases the data while the token is at the top of the stack. The top element is subsequently referenced by another method (ReaderMgr::getLastExtEntityInfo) thus causing a use-after-free.

Comment 5 Mauro Matteo Cascella 2020-01-14 17:18:49 UTC
There is currently no upstream fix available for this flaw.

Comment 18 errata-xmlrpc 2020-03-04 12:24:54 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:0702 https://access.redhat.com/errata/RHSA-2020:0702

Comment 19 errata-xmlrpc 2020-03-04 15:15:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0704 https://access.redhat.com/errata/RHSA-2020:0704

Comment 20 Product Security DevOps Team 2020-03-04 16:31:40 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-1311

Comment 21 Product Security DevOps Team 2020-03-04 22:31:41 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-1311

Comment 22 Sylvain Beucler 2020-03-12 15:08:26 UTC
Hi,

I'm investigating this issue as part of the Debian LTS team.
Upstream notes (https://issues.apache.org/jira/browse/XERCESC-2188) that the current fix may leak memory, though this makes it a valid mitigation for the use-after-free.
Would you like to comment on that?

Comment 23 Joe Orton 2020-03-12 15:42:27 UTC
Hi Sylvain, thanks for the link.

Yes we're aware it appears to leak - the package is not widely used within RHEL (and is dropped in RHEL8) so we considered this a reasonable trade-off.


Note You need to log in before you can comment on or make changes to this bug.