Bug 1752592 (CVE-2019-15903) - CVE-2019-15903 expat: heap-based buffer over-read via crafted XML input
Summary: CVE-2019-15903 expat: heap-based buffer over-read via crafted XML input
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-15903
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1752596 1752597 1752598 1763559 1763561 1764937 1764938 1764939 1764940 1764941 1764942 1814367 1814368 1814369
Blocks: 1752593
TreeView+ depends on / blocked
 
Reported: 2019-09-16 17:52 UTC by Dhananjay Arunesh
Modified: 2024-03-11 18:29 UTC (History)
47 users (show)

Fixed In Version: expat 2.2.8, firefox 68.2, thunderbird 68.2
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-03-05 16:31:50 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:3210 0 None None None 2019-10-29 09:49:02 UTC
Red Hat Product Errata RHSA-2019:3237 0 None None None 2019-10-29 13:46:59 UTC
Red Hat Product Errata RHSA-2019:3756 0 None None None 2019-11-06 17:08:00 UTC
Red Hat Product Errata RHSA-2020:2644 0 None None None 2020-06-22 12:26:44 UTC
Red Hat Product Errata RHSA-2020:2646 0 None None None 2020-06-22 13:08:48 UTC
Red Hat Product Errata RHSA-2020:3952 0 None None None 2020-09-29 20:04:42 UTC
Red Hat Product Errata RHSA-2020:4484 0 None None None 2020-11-04 01:23:16 UTC

Description Dhananjay Arunesh 2019-09-16 17:52:41 UTC 
In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.

Reference:
https://github.com/libexpat/libexpat/commit/c20b758c332d9a13afbbb276d30db1d183a85d43
https://github.com/libexpat/libexpat/issues/317
https://github.com/libexpat/libexpat/issues/342
https://github.com/libexpat/libexpat/pull/318
Comment 1 Dhananjay Arunesh 2019-09-16 17:59:54 UTC 
Created expat tracking bugs for this issue:

Affects: fedora-all [bug 1752596]


Created mingw-expat tracking bugs for this issue:

Affects: fedora-all [bug 1752597]
Comment 2 Dhananjay Arunesh 2019-09-16 18:01:33 UTC 
Created mingw-expat tracking bugs for this issue:

Affects: epel-7 [bug 1752598]
Comment 4 errata-xmlrpc 2019-10-29 09:49:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:3210 https://access.redhat.com/errata/RHSA-2019:3210
Comment 5 Product Security DevOps Team 2019-10-29 12:51:13 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-15903
Comment 6 errata-xmlrpc 2019-10-29 13:46:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3237 https://access.redhat.com/errata/RHSA-2019:3237
Comment 7 Product Security DevOps Team 2019-10-29 18:51:18 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-15903
Comment 8 errata-xmlrpc 2019-11-06 17:07:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2019:3756 https://access.redhat.com/errata/RHSA-2019:3756
Comment 9 Kunjan Rathod 2019-11-14 23:07:25 UTC 
This vulnerability is out of security support scope for the following products:
 * Red Hat Enterprise Application Platform 6
 * Red Hat JBoss Enterprise Web Server 2



Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 10 Sonu Khan 2020-01-28 13:13:09 UTC 
Is there any plan to provide a patch for expat in RHEL7?
Is it possible to use thunderbird patch for expat since both packages are affected and the ticket is closed by providing fir for thunderbird only.
Also any mitigation steps.
Comment 11 Product Security DevOps Team 2020-03-05 16:31:50 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-15903
Comment 12 Stefan Cornelius 2020-03-17 17:33:46 UTC 
Mitigation:

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Comment 16 errata-xmlrpc 2020-06-22 12:26:39 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 6
  JBoss Core Services on RHEL 7

Via RHSA-2020:2644 https://access.redhat.com/errata/RHSA-2020:2644
Comment 17 errata-xmlrpc 2020-06-22 13:08:44 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2020:2646 https://access.redhat.com/errata/RHSA-2020:2646
Comment 18 errata-xmlrpc 2020-09-29 20:04:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:3952 https://access.redhat.com/errata/RHSA-2020:3952
Comment 19 errata-xmlrpc 2020-11-04 01:23:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4484 https://access.redhat.com/errata/RHSA-2020:4484
Note You need to log in before you can comment on or make changes to this bug.