[jira] [Commented] (XERCESC-2188) Use-after-free on external DTD scan
[ https://issues.apache.org/jira/browse/XERCESC-2188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17793670#comment-17793670 ] Boris Kolpackov commented on XERCESC-2188: -- A new PR with the fix: [https://github.com/apache/xerces-c/pull/54] Please review/test. > Use-after-free on external DTD scan > --- > > Key: XERCESC-2188 > URL: https://issues.apache.org/jira/browse/XERCESC-2188 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (DTD) >Affects Versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.1.3, > 3.1.4, 3.2.1, 3.2.2 >Reporter: Scott Cantor >Priority: Major > Attachments: Apache-496067-disclosure-report.pdf > > > This is a record of an unfixed bug reported in 2018 in the DTD scanner, per > the attached PDF, corresponding to CVE-2018-1311. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Commented] (XERCESC-2188) Use-after-free on external DTD scan
[ https://issues.apache.org/jira/browse/XERCESC-2188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17738217#comment-17738217 ] Benjamin Fritz commented on XERCESC-2188: - FYI updates to CVEs in NVD can be requested here: https://cveform.mitre.org/ (sometimes they respond with a different place to report instead, I will try to remember to update if this is the case for this one) I have gone ahead and requested the affected versions be updated to reflect that there is currently no fixed version, referencing this issue page and the advisory, since at this time version 3.2.3 is still listed as the last impacted version in NVD. > Use-after-free on external DTD scan > --- > > Key: XERCESC-2188 > URL: https://issues.apache.org/jira/browse/XERCESC-2188 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (DTD) >Affects Versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.1.3, > 3.1.4, 3.2.1, 3.2.2 >Reporter: Scott Cantor >Priority: Major > Attachments: Apache-496067-disclosure-report.pdf > > > This is a record of an unfixed bug reported in 2018 in the DTD scanner, per > the attached PDF, corresponding to CVE-2018-1311. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Commented] (XERCESC-2188) Use-after-free on external DTD scan
[ https://issues.apache.org/jira/browse/XERCESC-2188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17716910#comment-17716910 ] Scott Cantor commented on XERCESC-2188: --- I will update the advisory tonight or tomorrow with some information about it but it's not going to keep getting updated like this because some scanner is broken and misused. Since patches are infrequent, hopefully that will hold it for a while. > Use-after-free on external DTD scan > --- > > Key: XERCESC-2188 > URL: https://issues.apache.org/jira/browse/XERCESC-2188 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (DTD) >Affects Versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.1.3, > 3.1.4, 3.2.1, 3.2.2 >Reporter: Scott Cantor >Priority: Major > Attachments: Apache-496067-disclosure-report.pdf > > > This is a record of an unfixed bug reported in 2018 in the DTD scanner, per > the attached PDF, corresponding to CVE-2018-1311. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Commented] (XERCESC-2188) Use-after-free on external DTD scan
[ https://issues.apache.org/jira/browse/XERCESC-2188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17716908#comment-17716908 ] Ilguiz Latypov commented on XERCESC-2188: - Perhaps NVD and scan KBs rely on this ticket's description carrying the "affected versions" field. Adding 3.2.3 and 3.2.4 to it could at least confirm the presence of the weakness for others. NVD mentions Apache as the CVE Numbering Authority for this issue. > Use-after-free on external DTD scan > --- > > Key: XERCESC-2188 > URL: https://issues.apache.org/jira/browse/XERCESC-2188 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (DTD) >Affects Versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.1.3, > 3.1.4, 3.2.1, 3.2.2 >Reporter: Scott Cantor >Priority: Major > Attachments: Apache-496067-disclosure-report.pdf > > > This is a record of an unfixed bug reported in 2018 in the DTD scanner, per > the attached PDF, corresponding to CVE-2018-1311. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Commented] (XERCESC-2188) Use-after-free on external DTD scan
[ https://issues.apache.org/jira/browse/XERCESC-2188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17716859#comment-17716859 ] Scott Cantor commented on XERCESC-2188: --- I have no control over any CVEs, and their total inaccuracy across the board is why I don't use them. Our advisory is accurate so far as I can see but I can adjust that if there's something off in it. https://xerces.apache.org/xerces-c/secadv/CVE-2018-1311.txt There are not likely to ever be any 4.0 releases, this library is effectively frozen pending a change in committers. > Use-after-free on external DTD scan > --- > > Key: XERCESC-2188 > URL: https://issues.apache.org/jira/browse/XERCESC-2188 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (DTD) >Affects Versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.1.3, > 3.1.4, 3.2.1, 3.2.2 >Reporter: Scott Cantor >Priority: Major > Attachments: Apache-496067-disclosure-report.pdf > > > This is a record of an unfixed bug reported in 2018 in the DTD scanner, per > the attached PDF, corresponding to CVE-2018-1311. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Commented] (XERCESC-2188) Use-after-free on external DTD scan
[ https://issues.apache.org/jira/browse/XERCESC-2188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17716851#comment-17716851 ] Ilguiz Latypov commented on XERCESC-2188: - Since year 2019, the NIST record of this bug included the upper boundary for the Xerces C version, 3.2.3 (probably because it was the last known version of the product). https://nvd.nist.gov/vuln/detail/CVE-2018-1311#VulnChangeHistorySection Now that 3.2.4 is released, it shows as clean from the CVE despite still being vulnerable. This makes the component scan users miss the danger. Is there a way to remove the upper boundary from the CVE? I can see the change history at NIST extends to this year. Hopefully a breaking change (4.0?) can be free from the vulnerability, at which point the CVE record could add the proper upper boundary. > Use-after-free on external DTD scan > --- > > Key: XERCESC-2188 > URL: https://issues.apache.org/jira/browse/XERCESC-2188 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (DTD) >Affects Versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.1.3, > 3.1.4, 3.2.1, 3.2.2 >Reporter: Scott Cantor >Priority: Major > Attachments: Apache-496067-disclosure-report.pdf > > > This is a record of an unfixed bug reported in 2018 in the DTD scanner, per > the attached PDF, corresponding to CVE-2018-1311. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Commented] (XERCESC-2188) Use-after-free on external DTD scan
[ https://issues.apache.org/jira/browse/XERCESC-2188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17480656#comment-17480656 ] Even Rouault commented on XERCESC-2188: --- My attempt at fixing the issue in https://github.com/apache/xerces-c/pull/47 > Use-after-free on external DTD scan > --- > > Key: XERCESC-2188 > URL: https://issues.apache.org/jira/browse/XERCESC-2188 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (DTD) >Affects Versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.1.3, > 3.1.4, 3.2.1, 3.2.2 >Reporter: Scott Cantor >Priority: Major > Attachments: Apache-496067-disclosure-report.pdf > > > This is a record of an unfixed bug reported in 2018 in the DTD scanner, per > the attached PDF, corresponding to CVE-2018-1311. -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Commented] (XERCESC-2188) Use-after-free on external DTD scan
[ https://issues.apache.org/jira/browse/XERCESC-2188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17158127#comment-17158127 ] Scott Cantor commented on XERCESC-2188: --- Not by me. The master branch has moved on to a possible 4.0 so there's no barrier to making changes to accomodate it, but I have no exposure to DTD issues and therefore no justification for spending paid time working on that area of the code anymore unless the work is trivial. > Use-after-free on external DTD scan > --- > > Key: XERCESC-2188 > URL: https://issues.apache.org/jira/browse/XERCESC-2188 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (DTD) >Affects Versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.1.3, > 3.1.4, 3.2.1, 3.2.2 >Reporter: Scott Cantor >Priority: Major > Attachments: Apache-496067-disclosure-report.pdf > > > This is a record of an unfixed bug reported in 2018 in the DTD scanner, per > the attached PDF, corresponding to CVE-2018-1311. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Commented] (XERCESC-2188) Use-after-free on external DTD scan
[ https://issues.apache.org/jira/browse/XERCESC-2188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17158122#comment-17158122 ] Trupti commented on XERCESC-2188: - Hi, Can someone please shed some light here, whether this issue is going to be fixed in Apache Xerces-c and what is planned version for fix? Appreciate your response. Thank you in advance. Best Regards, > Use-after-free on external DTD scan > --- > > Key: XERCESC-2188 > URL: https://issues.apache.org/jira/browse/XERCESC-2188 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (DTD) >Affects Versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.1.3, > 3.1.4, 3.2.1, 3.2.2 >Reporter: Scott Cantor >Priority: Major > Attachments: Apache-496067-disclosure-report.pdf > > > This is a record of an unfixed bug reported in 2018 in the DTD scanner, per > the attached PDF, corresponding to CVE-2018-1311. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Commented] (XERCESC-2188) Use-after-free on external DTD scan
[ https://issues.apache.org/jira/browse/XERCESC-2188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17090335#comment-17090335 ] Andrew Williams commented on XERCESC-2188: -- Could perhaps do more to clean-up in the event that the ReaderManager pops the entity off the stack; but the following patch at least avoids the use-after free without leaking. {code:java} diff -Naurw xerces-c-3.2.2.orig/src/xercesc/internal/DGXMLScanner.cpp xerces-c-3.2.2/src/xercesc/internal/DGXMLScanner.cpp --- xerces-c-3.2.2.orig/src/xercesc/internal/DGXMLScanner.cpp 2018-02-14 17:22:36.0 -0800 +++ xerces-c-3.2.2/src/xercesc/internal/DGXMLScanner.cpp2020-04-22 20:42:09.42636 -0700 @@ -65,6 +65,7 @@ , fElemCount(0) , fAttDefRegistry(0) , fUndeclaredAttrRegistry(0) +, fDTDEntityJanitor(4, true, manager) { CleanupType cleanup(this, ::cleanUp); @@ -100,6 +101,7 @@ , fElemCount(0) , fAttDefRegistry(0) , fUndeclaredAttrRegistry(0) +, fDTDEntityJanitor(4, true, manager) { CleanupType cleanup(this, ::cleanUp); @@ -1046,13 +1048,14 @@ // In order to make the processing work consistently, we have to // make this look like an external entity. So create an entity // decl and fill it in and push it with the reader, as happens -// with an external entity. Put a janitor on it to insure it gets -// cleaned up. The reader manager does not adopt them. +// with an external entity. Put a 'janitor' on it to ensure it gets +// cleaned up. While the reader manager does not adopt them, it may +// still dereference them. const XMLCh gDTDStr[] = { chLatin_D, chLatin_T, chLatin_D , chNull }; DTDEntityDecl* declDTD = new (fMemoryManager) DTDEntityDecl(gDTDStr, false, fMemoryManager); declDTD->setSystemId(sysId); declDTD->setIsExternal(true); -Janitor janDecl(declDTD); +fDTDEntityJanitor.addElement(declDTD); // Mark this one as a throw at end reader->setThrowAtEnd(true); @@ -2125,13 +2128,14 @@ // In order to make the processing work consistently, we have to // make this look like an external entity. So create an entity // decl and fill it in and push it with the reader, as happens -// with an external entity. Put a janitor on it to insure it gets -// cleaned up. The reader manager does not adopt them. +// with an external entity. Put a 'janitor' on it to ensure it gets +// cleaned up. While the reader manager does not adopt them, it may +// still dereference them. const XMLCh gDTDStr[] = { chLatin_D, chLatin_T, chLatin_D , chNull }; DTDEntityDecl* declDTD = new (fMemoryManager) DTDEntityDecl(gDTDStr, false, fMemoryManager); declDTD->setSystemId(src.getSystemId()); declDTD->setIsExternal(true); -Janitor janDecl(declDTD); +fDTDEntityJanitor.addElement(declDTD); // Mark this one as a throw at end newReader->setThrowAtEnd(true); diff -Naurw xerces-c-3.2.2.orig/src/xercesc/internal/DGXMLScanner.hpp xerces-c-3.2.2/src/xercesc/internal/DGXMLScanner.hpp --- xerces-c-3.2.2.orig/src/xercesc/internal/DGXMLScanner.hpp 2018-02-14 17:22:36.0 -0800 +++ xerces-c-3.2.2/src/xercesc/internal/DGXMLScanner.hpp2020-04-22 20:42:09.42636 -0700 @@ -175,6 +175,8 @@ unsigned intfElemCount; RefHashTableOf* fAttDefRegistry; Hash2KeysSetOf*fUndeclaredAttrRegistry; + +RefVectorOf fDTDEntityJanitor; }; inline const XMLCh* DGXMLScanner::getName() const diff -Naurw xerces-c-3.2.2.orig/src/xercesc/internal/IGXMLScanner.cpp xerces-c-3.2.2/src/xercesc/internal/IGXMLScanner.cpp --- xerces-c-3.2.2.orig/src/xercesc/internal/IGXMLScanner.cpp 2018-02-14 17:22:36.0 -0800 +++ xerces-c-3.2.2/src/xercesc/internal/IGXMLScanner.cpp2020-04-22 20:42:09.42636 -0700 @@ -85,6 +85,7 @@ , fErrorStack(0) , fSchemaInfoList(0) , fCachedSchemaInfoList (0) +, fDTDEntityJanitor(4, true, manager) { CleanupType cleanup(this, ::cleanUp); @@ -138,6 +139,7 @@ , fErrorStack(0) , fSchemaInfoList(0) , fCachedSchemaInfoList (0) +, fDTDEntityJanitor(4, true, manager) { CleanupType cleanup(this, ::cleanUp); @@ -1526,13 +1528,14 @@ // In order to make the processing work consistently, we have to // make this look like an external entity. So create an entity // decl and fill it in and push it with the reader, as happens -// with an external entity. Put a janitor on it to insure it gets -// cleaned up. The reader manager does not adopt them. +// with an external entity. Put a 'janitor' on it to ensure it gets +// cleaned up. While the reader
[jira] [Commented] (XERCESC-2188) Use-after-free on external DTD scan
[ https://issues.apache.org/jira/browse/XERCESC-2188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17057995#comment-17057995 ] Scott Cantor commented on XERCESC-2188: --- Thanks for the update. The original outline of the fix is sufficient for me or somebody else even passably competent to come up with the proposed patch, so I don't think there's any blocker apart from time. There's a separate issue that was a possible candidate for a 3.3 so if that moves forward and the cycles exist I imagine the fix could be done then. > Use-after-free on external DTD scan > --- > > Key: XERCESC-2188 > URL: https://issues.apache.org/jira/browse/XERCESC-2188 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (DTD) >Affects Versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.1.3, > 3.1.4, 3.2.1, 3.2.2 >Reporter: Scott Cantor >Priority: Major > Attachments: Apache-496067-disclosure-report.pdf > > > This is a record of an unfixed bug reported in 2018 in the DTD scanner, per > the attached PDF, corresponding to CVE-2018-1311. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Commented] (XERCESC-2188) Use-after-free on external DTD scan
[ https://issues.apache.org/jira/browse/XERCESC-2188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17057973#comment-17057973 ] Sylvain Beucler commented on XERCESC-2188: -- This adds to the current blockers, namely that a proper fix currently could not be reviewed, and would have high chances of breaking ABI. Consequently I do not plan to spend more time on writing a patch. > Use-after-free on external DTD scan > --- > > Key: XERCESC-2188 > URL: https://issues.apache.org/jira/browse/XERCESC-2188 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (DTD) >Affects Versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.1.3, > 3.1.4, 3.2.1, 3.2.2 >Reporter: Scott Cantor >Priority: Major > Attachments: Apache-496067-disclosure-report.pdf > > > This is a record of an unfixed bug reported in 2018 in the DTD scanner, per > the attached PDF, corresponding to CVE-2018-1311. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Commented] (XERCESC-2188) Use-after-free on external DTD scan
[ https://issues.apache.org/jira/browse/XERCESC-2188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17057899#comment-17057899 ] Scott Cantor commented on XERCESC-2188: --- I branched this morning, so master is now open for 3.3 commits if necessary. Before anything else, I wanted to clarify that I believe this patch is sufficient to warrant either an Apache license attached or a contribution agreement from the patch author. If neither of those is practical than I would advise that such a patch not actually be written and that it be left to the existing committers, but unfortunately there are none at the moment able to work on the issue. That's a catch-22, but the IPR is what it is. Hopefully slapping the license on would be ok. Aside from that issue, my advice would be to eventually apply a patch to master and then if the team decides the patch is safe to apply to 3.2, we can always cherry-pick it back. > Use-after-free on external DTD scan > --- > > Key: XERCESC-2188 > URL: https://issues.apache.org/jira/browse/XERCESC-2188 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (DTD) >Affects Versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.1.3, > 3.1.4, 3.2.1, 3.2.2 >Reporter: Scott Cantor >Priority: Major > Attachments: Apache-496067-disclosure-report.pdf > > > This is a record of an unfixed bug reported in 2018 in the DTD scanner, per > the attached PDF, corresponding to CVE-2018-1311. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Commented] (XERCESC-2188) Use-after-free on external DTD scan
[ https://issues.apache.org/jira/browse/XERCESC-2188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17055415#comment-17055415 ] Sylvain Beucler commented on XERCESC-2188: -- FWIW I spotted one embedding at [https://gitbox.apache.org/repos/asf?p=xerces-c.git;a=blob;f=src/xercesc/internal/XMLScanner.hpp;h=c8bdaf1fcfad32ef7b6c6424a879964db82ddfa2;hb=HEAD#l815] although I don't see internal/XMLScanner embedded in turn. > Use-after-free on external DTD scan > --- > > Key: XERCESC-2188 > URL: https://issues.apache.org/jira/browse/XERCESC-2188 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (DTD) >Affects Versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.1.3, > 3.1.4, 3.2.1, 3.2.2 >Reporter: Scott Cantor >Priority: Major > Attachments: Apache-496067-disclosure-report.pdf > > > This is a record of an unfixed bug reported in 2018 in the DTD scanner, per > the attached PDF, corresponding to CVE-2018-1311. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Commented] (XERCESC-2188) Use-after-free on external DTD scan
[ https://issues.apache.org/jira/browse/XERCESC-2188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17055409#comment-17055409 ] Scott Cantor commented on XERCESC-2188: --- Also, we'd need to ensure no actual public classes don't embed an instance of the modified class as a member also if we were to change it in a 3.2.x. I have not checked for that possibility. > Use-after-free on external DTD scan > --- > > Key: XERCESC-2188 > URL: https://issues.apache.org/jira/browse/XERCESC-2188 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (DTD) >Affects Versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.1.3, > 3.1.4, 3.2.1, 3.2.2 >Reporter: Scott Cantor >Priority: Major > Attachments: Apache-496067-disclosure-report.pdf > > > This is a record of an unfixed bug reported in 2018 in the DTD scanner, per > the attached PDF, corresponding to CVE-2018-1311. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Commented] (XERCESC-2188) Use-after-free on external DTD scan
[ https://issues.apache.org/jira/browse/XERCESC-2188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17055407#comment-17055407 ] Scott Cantor commented on XERCESC-2188: --- Yes, that's kind of the issue, what we can assume about the uses of the class. Technically, the view of the project is that the internal/ directory, while installed into header-space, is not technically meant to be API, so one can decide that any application broken by the change should be fixed, but we can't guarantee what is or isn't currently calling that stuff, and if the headers are actually installed because they're pulled in by public ones, that would make it impossible to de-install them going forward. But I plan to explore that question a bit because if we believe they shouldn't be called, we should try and avoid installing them. In any case, for now I can't say what any downstream should do, we haven't really settled on whether to do this as a 3.2.3 or as 3.3.0. And no, I have no reproduction of the bug and Red Hat said the same thing, that it didn't fail. > Use-after-free on external DTD scan > --- > > Key: XERCESC-2188 > URL: https://issues.apache.org/jira/browse/XERCESC-2188 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (DTD) >Affects Versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.1.3, > 3.1.4, 3.2.1, 3.2.2 >Reporter: Scott Cantor >Priority: Major > Attachments: Apache-496067-disclosure-report.pdf > > > This is a record of an unfixed bug reported in 2018 in the DTD scanner, per > the attached PDF, corresponding to CVE-2018-1311. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Commented] (XERCESC-2188) Use-after-free on external DTD scan
[ https://issues.apache.org/jira/browse/XERCESC-2188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17055399#comment-17055399 ] Sylvain Beucler commented on XERCESC-2188: -- Hi, I'm no expert either and I'm merely forwarding the discussion myself. >From a distro point-of-view, I'm interested in patching xerces-c as-is >(versions 3.1.1, 3.1.4 and 3.2.2), hopefully while preserving ABI >compatibility (otherwise we'd have to recompile all packages that depend on >libxerces-c). AFAIU Hugo's patch suggestion implies modifying internal/ReaderMsg. First adding a default parameter to function ReaderMgr::pushReader, which could be done ABI-compatibly with a new function pushReaderAdopt instead. Then add a new private class member fAdoptedStack, which only stays ABI-compatible if no dependent program directly allocates an internal/ReaderMsg instance. From your comment, that does not seem guaranteed, though that could be a reasonable expectation. Again, I'm no expert. (Incidentally, do you have access to a reproducer? The report mentions a "simple PoC through samples/StdInParse" but my own test on a basic XML+DTD does not trigger any ASAN warning.) > Use-after-free on external DTD scan > --- > > Key: XERCESC-2188 > URL: https://issues.apache.org/jira/browse/XERCESC-2188 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (DTD) >Affects Versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.1.3, > 3.1.4, 3.2.1, 3.2.2 >Reporter: Scott Cantor >Priority: Major > Attachments: Apache-496067-disclosure-report.pdf > > > This is a record of an unfixed bug reported in 2018 in the DTD scanner, per > the attached PDF, corresponding to CVE-2018-1311. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Commented] (XERCESC-2188) Use-after-free on external DTD scan
[ https://issues.apache.org/jira/browse/XERCESC-2188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17053458#comment-17053458 ] Scott Cantor commented on XERCESC-2188: --- My impression is that your proposed fix is probably a good one, but seems like it's likely to require a bump to 3.3 unless the push method is private. The Xerces project has no proper API definition/policy, so there's no allowance for anything being "internal" if it's callable unfortunately. But we were just talking about possibly branching for that. > Use-after-free on external DTD scan > --- > > Key: XERCESC-2188 > URL: https://issues.apache.org/jira/browse/XERCESC-2188 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (DTD) >Affects Versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.1.3, > 3.1.4, 3.2.1, 3.2.2 >Reporter: Scott Cantor >Priority: Major > Attachments: Apache-496067-disclosure-report.pdf > > > This is a record of an unfixed bug reported in 2018 in the DTD scanner, per > the attached PDF, corresponding to CVE-2018-1311. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Commented] (XERCESC-2188) Use-after-free on external DTD scan
[ https://issues.apache.org/jira/browse/XERCESC-2188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17053450#comment-17053450 ] Scott Cantor commented on XERCESC-2188: --- I was not aware, thank you. I'm happy to look, but the simple fact is that I don't know this code and so I can't even begin to evaluate any proposed fix with any confidence. I don't use the DTD code, so I can't do any independent testing either. I think Red Hat's position that a denial of service via memory leak is superior to a crash is defensible too, but they didn't make that argument, they simply silently did it without any explanation to their deployers. > Use-after-free on external DTD scan > --- > > Key: XERCESC-2188 > URL: https://issues.apache.org/jira/browse/XERCESC-2188 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (DTD) >Affects Versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.1.3, > 3.1.4, 3.2.1, 3.2.2 >Reporter: Scott Cantor >Priority: Major > Attachments: Apache-496067-disclosure-report.pdf > > > This is a record of an unfixed bug reported in 2018 in the DTD scanner, per > the attached PDF, corresponding to CVE-2018-1311. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Commented] (XERCESC-2188) Use-after-free on external DTD scan
[ https://issues.apache.org/jira/browse/XERCESC-2188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17053366#comment-17053366 ] Sylvain Beucler commented on XERCESC-2188: -- For the record, there is another patch attempt from Debian: [https://lists.debian.org/debian-lts/2020/01/msg00055.html ]though it didn't make it to the xerces c-dev mailing list (despite several attempts). I'd be happy to provide a formalized patch here - is there upstream interest in fixing/reviewing this issue? > Use-after-free on external DTD scan > --- > > Key: XERCESC-2188 > URL: https://issues.apache.org/jira/browse/XERCESC-2188 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (DTD) >Affects Versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.1.3, > 3.1.4, 3.2.1, 3.2.2 >Reporter: Scott Cantor >Priority: Major > Attachments: Apache-496067-disclosure-report.pdf > > > This is a record of an unfixed bug reported in 2018 in the DTD scanner, per > the attached PDF, corresponding to CVE-2018-1311. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Commented] (XERCESC-2188) Use-after-free on external DTD scan
[ https://issues.apache.org/jira/browse/XERCESC-2188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17052252#comment-17052252 ] Scott Cantor commented on XERCESC-2188: --- Scanning the code further, it does not appear the entity "stack" in the ReaderMgr that these objects are pushed onto owns them or deletes them, so this appears to leak to me. But that's not authoritative, just noting for any future investigation. > Use-after-free on external DTD scan > --- > > Key: XERCESC-2188 > URL: https://issues.apache.org/jira/browse/XERCESC-2188 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (DTD) >Affects Versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.1.3, > 3.1.4, 3.2.1, 3.2.2 >Reporter: Scott Cantor >Priority: Major > Attachments: Apache-496067-disclosure-report.pdf > > > This is a record of an unfixed bug reported in 2018 in the DTD scanner, per > the attached PDF, corresponding to CVE-2018-1311. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Commented] (XERCESC-2188) Use-after-free on external DTD scan
[ https://issues.apache.org/jira/browse/XERCESC-2188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17052244#comment-17052244 ] Scott Cantor commented on XERCESC-2188: --- Noting, Red Hat just shipped a "fix" for this backported to 3.0 and the fix is simply to remove the Janitors around the objects causing the problem, as far as I can tell. It's possible this is even correct if they're being freed independently at the right spot, but I don't know the code well enough to tell that. Just for posterity: {code} https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1311 --- xerces-c-3.0.1/src/xercesc/internal/IGXMLScanner.cpp.cve1311 +++ xerces-c-3.0.1/src/xercesc/internal/IGXMLScanner.cpp @@ -1533,7 +1533,6 @@ DTDEntityDecl* declDTD = new (fMemoryManager) DTDEntityDecl(gDTDStr, false, fMemoryManager); declDTD->setSystemId(sysId); declDTD->setIsExternal(true); -Janitor janDecl(declDTD); // Mark this one as a throw at end reader->setThrowAtEnd(true); @@ -3154,7 +3153,6 @@ DTDEntityDecl* declDTD = new (fMemoryManager) DTDEntityDecl(gDTDStr, false, fMemoryManager); declDTD->setSystemId(src.getSystemId()); declDTD->setIsExternal(true); -Janitor janDecl(declDTD); // Mark this one as a throw at end newReader->setThrowAtEnd(true); {code} > Use-after-free on external DTD scan > --- > > Key: XERCESC-2188 > URL: https://issues.apache.org/jira/browse/XERCESC-2188 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (DTD) >Affects Versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.1.3, > 3.1.4, 3.2.1, 3.2.2 >Reporter: Scott Cantor >Priority: Major > Attachments: Apache-496067-disclosure-report.pdf > > > This is a record of an unfixed bug reported in 2018 in the DTD scanner, per > the attached PDF, corresponding to CVE-2018-1311. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org