Bug 2254376 (CVE-2023-34194) - CVE-2023-34194 tinyxml: reachable assertion may lead to denial of service
Summary: CVE-2023-34194 tinyxml: reachable assertion may lead to denial of service
Status: NEW
Alias: CVE-2023-34194
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Product Security
QA Contact:
Depends On: 2254380 2254381
TreeView+ depends on / blocked
Reported: 2023-12-13 16:47 UTC by Robb Gatica
Modified: 2023-12-22 14:50 UTC (History)
0 users

Fixed In Version:
Doc Type: ---
Doc Text:
A flaw was discovered in the tinyxml package. A local attacker may use a specially-crafted XML document to trigger an assert statement, which can lead to a denial of service.
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Robb Gatica 2023-12-13 16:47:37 UTC
StringEqual in TiXmlDeclaration::Parse in tinyxmlparser.cpp in TinyXML through 2.6.2 has a reachable assertion (and application exit) via a crafted XML document with a '\0' located after whitespace.


Comment 1 Robb Gatica 2023-12-13 16:52:03 UTC
This appears to be specific to tinyxml, which is no longer maintained. Tinyxml2 does not appear to be affected. 

Per the Forescout report:

TinyXML has not been maintained for nearly a decade. The project already had one public vulnerability without a known fix prior to this research (CVE-2021-42260, details in 9.4), and now there are two new issues which we found and that will not be fixed either. Using open-source intelligence (OSINT) – mainly searching for product documentation mentioning the TinyXML license – we were able to identify over 30 different products that still use TinyXML. Most of those are either other open-source projects or security software, but there are also several automotive infotainment systems, building automation devices and other IoT. It is difficult to know if and how any of these products could be vulnerable since XML parsing is not always directly accessible by an attacker. However, the proliferation of abandoned projects raises questions about how device vendors can respond to new vulnerabilities.

Comment 2 Robb Gatica 2023-12-13 16:52:46 UTC
Created tinyxml tracking bugs for this issue:

Affects: epel-all [bug 2254380]
Affects: fedora-all [bug 2254381]

Note You need to log in before you can comment on or make changes to this bug.