Bug 1129537 (CVE-2019-9628)

Summary: VUL-0: CVE-2019-9628: xmltooling: incorrect handling of exceptions on malformed XML leading to denial of service
Product: [Novell Products] SUSE Security Incidents Reporter: Karol Babioch <karol>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: atoptsoglou, kstreitova, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/226077/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Karol Babioch 2019-03-18 09:25:15 UTC 
CVE-2019-9628

Ross Geerlings discovered that the XMLTooling library didn't correctly
handle exceptions on malformed XML declarations, which could result in
denial of service against the application using XMLTooling.
For the stable distribution (stretch), this problem has been fixed in
version 1.6.0-4+deb9u2.
We recommend that you upgrade your xmltooling packages.
For the detailed security status of xmltooling please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/xmltooling

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-9628
http://www.debian.org/security/2019/dsa-4407
Comment 2 Karol Babioch 2019-03-18 09:29:11 UTC 
Both SUSE:SLE-12-SP1:Update as well as SUSE:SLE-15:Update contain the vulnerable code. The upstream commit should be applicable without any complications as far as I can see.
Comment 3 Kristyna Streitova 2019-03-21 13:38:36 UTC 
|    Codestream    | Request |
|------------------|---------|
| SLE-12-SP1       | 187678  |
| SLE-15           | 187680  |
| openSUSE:Leap    | via SLE |
| openSUSE:Factory | 686947  |

Done, I'm reassigning it to the security team.
Comment 5 Swamp Workflow Management 2019-04-10 19:15:38 UTC 
SUSE-SU-2019:0929-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1129537
CVE References: CVE-2019-9628
Sources used:
SUSE Linux Enterprise Module for Server Applications 15 (src):    xmltooling-1.6.4-3.3.2

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2019-04-10 19:16:13 UTC 
SUSE-SU-2019:0928-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1129537
CVE References: CVE-2019-9628
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    xmltooling-1.5.6-3.9.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    xmltooling-1.5.6-3.9.1
SUSE Linux Enterprise Server 12-SP4 (src):    xmltooling-1.5.6-3.9.1
SUSE Linux Enterprise Server 12-SP3 (src):    xmltooling-1.5.6-3.9.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2019-04-18 16:14:50 UTC 
openSUSE-SU-2019:1235-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1129537
CVE References: CVE-2019-9628
Sources used:
openSUSE Leap 15.0 (src):    xmltooling-1.6.4-lp150.2.3.1
Comment 8 Swamp Workflow Management 2019-04-25 22:10:59 UTC 
openSUSE-SU-2019:1276-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1129537
CVE References: CVE-2019-9628
Sources used:
openSUSE Leap 42.3 (src):    xmltooling-1.5.6-12.1
Comment 9 Alexandros Toptsoglou 2020-04-23 15:39:25 UTC 
Done