[jira] [Commented] (XERCESC-2188) Use-after-free on external DTD scan

Thu, 05 Mar 2020 07:20:23 -0800 


    [ 
https://issues.apache.org/jira/browse/XERCESC-2188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17052244#comment-17052244
 ] 

Scott Cantor commented on XERCESC-2188:
---------------------------------------

Noting, Red Hat just shipped a "fix" for this backported to 3.0 and the fix is 
simply to remove the Janitors around the objects causing the problem, as far as 
I can tell.

It's possible this is even correct if they're being freed independently at the 
right spot, but I don't know the code well enough to tell that.

Just for posterity:

{code}
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1311

--- xerces-c-3.0.1/src/xercesc/internal/IGXMLScanner.cpp.cve1311
+++ xerces-c-3.0.1/src/xercesc/internal/IGXMLScanner.cpp
@@ -1533,7 +1533,6 @@
             DTDEntityDecl* declDTD = new (fMemoryManager) 
DTDEntityDecl(gDTDStr, false, fMemoryManager);
             declDTD->setSystemId(sysId);
             declDTD->setIsExternal(true);
-            Janitor<DTDEntityDecl> janDecl(declDTD);

             // Mark this one as a throw at end
             reader->setThrowAtEnd(true);
@@ -3154,7 +3153,6 @@
     DTDEntityDecl* declDTD = new (fMemoryManager) DTDEntityDecl(gDTDStr, 
false, fMemoryManager);
     declDTD->setSystemId(src.getSystemId());
     declDTD->setIsExternal(true);
-    Janitor<DTDEntityDecl> janDecl(declDTD);

     // Mark this one as a throw at end
     newReader->setThrowAtEnd(true);
{code}

> Use-after-free on external DTD scan
> -----------------------------------
>
>                 Key: XERCESC-2188
>                 URL: https://issues.apache.org/jira/browse/XERCESC-2188
>             Project: Xerces-C++
>          Issue Type: Bug
>          Components: Validating Parser (DTD)
>    Affects Versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.1.3, 
> 3.1.4, 3.2.1, 3.2.2
>            Reporter: Scott Cantor
>            Priority: Major
>         Attachments: Apache-496067-disclosure-report.pdf
>
>
> This is a record of an unfixed bug reported in 2018 in the DTD scanner, per 
> the attached PDF, corresponding to CVE-2018-1311.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org
For additional commands, e-mail: c-dev-h...@xerces.apache.org

Reply via email to