[jira] [Commented] (XERCESC-2188) Use-after-free on external DTD scan
[ https://issues.apache.org/jira/browse/XERCESC-2188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17057973#comment-17057973 ] Sylvain Beucler commented on XERCESC-2188: -- This adds to the current blockers, namely that a proper fix currently could not be reviewed, and would have high chances of breaking ABI. Consequently I do not plan to spend more time on writing a patch. > Use-after-free on external DTD scan > --- > > Key: XERCESC-2188 > URL: https://issues.apache.org/jira/browse/XERCESC-2188 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (DTD) >Affects Versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.1.3, > 3.1.4, 3.2.1, 3.2.2 >Reporter: Scott Cantor >Priority: Major > Attachments: Apache-496067-disclosure-report.pdf > > > This is a record of an unfixed bug reported in 2018 in the DTD scanner, per > the attached PDF, corresponding to CVE-2018-1311. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Commented] (XERCESC-2188) Use-after-free on external DTD scan
[ https://issues.apache.org/jira/browse/XERCESC-2188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17055415#comment-17055415 ] Sylvain Beucler commented on XERCESC-2188: -- FWIW I spotted one embedding at [https://gitbox.apache.org/repos/asf?p=xerces-c.git;a=blob;f=src/xercesc/internal/XMLScanner.hpp;h=c8bdaf1fcfad32ef7b6c6424a879964db82ddfa2;hb=HEAD#l815] although I don't see internal/XMLScanner embedded in turn. > Use-after-free on external DTD scan > --- > > Key: XERCESC-2188 > URL: https://issues.apache.org/jira/browse/XERCESC-2188 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (DTD) >Affects Versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.1.3, > 3.1.4, 3.2.1, 3.2.2 >Reporter: Scott Cantor >Priority: Major > Attachments: Apache-496067-disclosure-report.pdf > > > This is a record of an unfixed bug reported in 2018 in the DTD scanner, per > the attached PDF, corresponding to CVE-2018-1311. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Commented] (XERCESC-2188) Use-after-free on external DTD scan
[ https://issues.apache.org/jira/browse/XERCESC-2188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17055399#comment-17055399 ] Sylvain Beucler commented on XERCESC-2188: -- Hi, I'm no expert either and I'm merely forwarding the discussion myself. >From a distro point-of-view, I'm interested in patching xerces-c as-is >(versions 3.1.1, 3.1.4 and 3.2.2), hopefully while preserving ABI >compatibility (otherwise we'd have to recompile all packages that depend on >libxerces-c). AFAIU Hugo's patch suggestion implies modifying internal/ReaderMsg. First adding a default parameter to function ReaderMgr::pushReader, which could be done ABI-compatibly with a new function pushReaderAdopt instead. Then add a new private class member fAdoptedStack, which only stays ABI-compatible if no dependent program directly allocates an internal/ReaderMsg instance. From your comment, that does not seem guaranteed, though that could be a reasonable expectation. Again, I'm no expert. (Incidentally, do you have access to a reproducer? The report mentions a "simple PoC through samples/StdInParse" but my own test on a basic XML+DTD does not trigger any ASAN warning.) > Use-after-free on external DTD scan > --- > > Key: XERCESC-2188 > URL: https://issues.apache.org/jira/browse/XERCESC-2188 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (DTD) >Affects Versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.1.3, > 3.1.4, 3.2.1, 3.2.2 >Reporter: Scott Cantor >Priority: Major > Attachments: Apache-496067-disclosure-report.pdf > > > This is a record of an unfixed bug reported in 2018 in the DTD scanner, per > the attached PDF, corresponding to CVE-2018-1311. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Commented] (XERCESC-2188) Use-after-free on external DTD scan
[ https://issues.apache.org/jira/browse/XERCESC-2188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17053366#comment-17053366 ] Sylvain Beucler commented on XERCESC-2188: -- For the record, there is another patch attempt from Debian: [https://lists.debian.org/debian-lts/2020/01/msg00055.html ]though it didn't make it to the xerces c-dev mailing list (despite several attempts). I'd be happy to provide a formalized patch here - is there upstream interest in fixing/reviewing this issue? > Use-after-free on external DTD scan > --- > > Key: XERCESC-2188 > URL: https://issues.apache.org/jira/browse/XERCESC-2188 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (DTD) >Affects Versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.1.3, > 3.1.4, 3.2.1, 3.2.2 >Reporter: Scott Cantor >Priority: Major > Attachments: Apache-496067-disclosure-report.pdf > > > This is a record of an unfixed bug reported in 2018 in the DTD scanner, per > the attached PDF, corresponding to CVE-2018-1311. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org