Bug 1191856 (CVE-2019-20005)

Summary: VUL-0: CVE-2019-20005,CVE-2019-20006,CVE-2019-20007,CVE-2019-20198,CVE-2019-20199: netcdf: multiple vulnerabilities in ezXML
Product: [Novell Products] SUSE Security Incidents Reporter: Gabriele Sonnu <gabriele.sonnu>
Component: IncidentsAssignee: Egbert Eich <eich>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/249835/
Whiteboard: CVSSv3.1:SUSE:CVE-2019-20005:5.5:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVSSv3.1:SUSE:CVE-2019-20006:5.5:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVSSv3.1:SUSE:CVE-2019-20007:5.5:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVSSv3.1:SUSE:CVE-2019-20198:5.5:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVSSv3.1:SUSE:CVE-2019-20199:5.5:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVSSv3.1:SUSE:CVE-2019-20200:5.5:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVSSv3.1:SUSE:CVE-2019-20201:5.5:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVSSv3.1:SUSE:CVE-2019-20202:5.5:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVSSv3.1:SUSE:CVE-2021-26220:4.7:(AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H) CVSSv3.1:SUSE:CVE-2021-26221:4.7:(AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H) CVSSv3.1:SUSE:CVE-2021-26222:6.0:(AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:H) CVSSv3.1:SUSE:CVE-2021-30485:5.5:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVSSv3.1:SUSE:CVE-2021-31229:5.5:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVSSv3.1:SUSE:CVE-2021-31347:5.5:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVSSv3.1:SUSE:CVE-2021-31348:5.5:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVSSv3.1:SUSE:CVE-2021-31598:5.5:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Gabriele Sonnu 2021-10-20 07:45:48 UTC
Multiple security issues were found in ezXML which is bundled in netcdf.

CVE-2019-20005: https://sourceforge.net/p/ezxml/bugs/14/
CVE-2019-20006: https://sourceforge.net/p/ezxml/bugs/15/
CVE-2019-20007: https://sourceforge.net/p/ezxml/bugs/13/
CVE-2019-20198: https://sourceforge.net/p/ezxml/bugs/20/
CVE-2019-20199: https://sourceforge.net/p/ezxml/bugs/18/
CVE-2019-20200: https://sourceforge.net/p/ezxml/bugs/19/
CVE-2019-20201: https://sourceforge.net/p/ezxml/bugs/16/
CVE-2019-20202: https://sourceforge.net/p/ezxml/bugs/17/
CVE-2021-26220: https://sourceforge.net/p/ezxml/bugs/23/
CVE-2021-26221: https://sourceforge.net/p/ezxml/bugs/21/
CVE-2021-26222: https://sourceforge.net/p/ezxml/bugs/22/
CVE-2021-30485: https://sourceforge.net/p/ezxml/bugs/25/
CVE-2021-31229: https://sourceforge.net/p/ezxml/bugs/26/
CVE-2021-31348 / CVE-2021-31347: https://sourceforge.net/p/ezxml/bugs/27/
CVE-2021-31598: https://sourceforge.net/p/ezxml/bugs/28/

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2001671
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20200
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20201
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20007
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-26221
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20202
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31598
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-26220
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31347
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20198
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20005
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31229
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-30485
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20199
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31348
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-26222
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20006
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31348
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20005
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20006
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20007
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20198
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20199
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20200
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20201
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20202
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26220
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31598
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26221
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26222
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30485
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31229
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31347
https://sourceforge.net/p/ezxml/bugs/21/
https://sourceforge.net/p/ezxml/bugs/19/
https://sourceforge.net/p/ezxml/bugs/22/
https://sourceforge.net/p/ezxml/bugs/14/
https://sourceforge.net/p/ezxml/bugs/18/
https://sourceforge.net/p/ezxml/bugs/27/
https://sourceforge.net/p/ezxml/bugs/25/
https://sourceforge.net/p/ezxml/bugs/20/
https://sourceforge.net/p/ezxml/bugs/15/
https://sourceforge.net/p/ezxml/bugs/23/
https://sourceforge.net/p/ezxml/bugs/17/
https://sourceforge.net/p/ezxml/bugs/26/
https://sourceforge.net/p/ezxml/bugs/28/
https://sourceforge.net/p/ezxml/bugs/16/
https://sourceforge.net/p/ezxml/bugs/13/
Comment 1 Gabriele Sonnu 2021-10-20 07:46:39 UTC
Affected packages:

 - SUSE:SLE-15-SP1:Update/netcdf                  4.6.1
 - SUSE:SLE-15-SP2:Update/netcdf                  4.7.3
 - SUSE:SLE-15-SP3:Update/netcdf                  4.7.4
 - SUSE:SLE-15:Update/netcdf                      4.6.1
 - openSUSE:Backports:SLE-15-SP2/netcdf           4.7.3 
 - openSUSE:Backports:SLE-15-SP3/netcdf           4.7.4
 - openSUSE:Backports:SLE-15-SP4/netcdf           4.7.4
 - openSUSE:Factory/netcdf                        4.8.0

Upstream patch:

https://github.com/Unidata/netcdf-c/pull/2125
Comment 2 Egbert Eich 2021-10-23 19:13:38 UTC
Of the 15 reported issues only 4 are fixed. One of the 4 patches is bogus. The 'upstream patch' is a conglomerate of these 4 patches (including the bogus one!) and a 'big restructuring'. The upstream patch calls exit(-1) when it encounters an error - instead reporting an error to the caller as the ezxml library used does not provide error reporting. Calling exit() when encountering an error is not much better than crashing.
I do, however, consider the risk of encountering broken XML rather low. XML is used here to obtain information about the data sets from a DAP4 server. The risk of getting bogus XML data from a legitimate server is negligible. However, the connection may be unauthenticated. Also there seem to be 'public' DAP4 servers on the internet which provide climate data for instance. Connection spoofing and 'man in the middle' may be possible.
Comment 3 Egbert Eich 2021-10-24 08:13:25 UTC
The fix in bug #26 (CVE-2021-31229) https://sourceforge.net/p/ezxml/bugs/26/
also fixes bug #16 (CVE-2019-20201) https://sourceforge.net/p/ezxml/bugs/16/
and bug #20, (CVE-2019-20198) https://sourceforge.net/p/ezxml/bugs/20/
while the fix in bug #28 (CVE-2021-31598) https://sourceforge.net/p/ezxml/bugs/28/
is bogus. The issue gets addressed by a fix for bug #15 (CVE-2019-20006), which also fixes bug #17 (CVE-2021-31598).

The issues:
CVE-2021-26221 / bug #21 https://sourceforge.net/p/ezxml/bugs/21/
CVE-2021-26222 / bug #22 https://sourceforge.net/p/ezxml/bugs/26/
CVE-2021-26220 / bug #23 https://sourceforge.net/p/ezxml/bugs/26/
all address out of memory conditions. The code calls malloc()/realloc() frequently however never checks if the operation succeeds. Apparently, the code has been used as a test bed for a library wrapper which injects out-of-memory conditions to check whether these are handled gracefully.
The reported issues are fixable, however, fixing this problem everywhere in the code is challenging as none of the inner functions are able to report back an error condition.
Comment 4 OBSbugzilla Bot 2021-10-25 18:40:07 UTC
This is an autogenerated message for OBS integration:
This bug (1191856) was mentioned in
https://build.opensuse.org/request/show/927333 Factory / netcdf
Comment 5 Egbert Eich 2021-10-26 19:34:56 UTC
The SLE12 HPC module is not affected as the code in question wasn't present in that version of netcdf.
Comment 6 Egbert Eich 2021-10-26 19:41:13 UTC
CVE-2019-20005 - this issue cannot be reproduced. Not fix available.
CVE-2021-26220 - netcdf is not affected as affected code is used.
Comment 8 Swamp Workflow Management 2021-11-25 17:24:16 UTC
SUSE-SU-2021:3805-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1191856
CVE References: CVE-2019-20005,CVE-2019-20006,CVE-2019-20007,CVE-2019-20198,CVE-2019-20199,CVE-2019-20200,CVE-2019-20201,CVE-2019-20202,CVE-2021-26220,CVE-2021-26221,CVE-2021-26222,CVE-2021-30485,CVE-2021-31229,CVE-2021-31347,CVE-2021-31348,CVE-2021-31598
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for HPC 15-SP2 (src):    netcdf_4_7_3-gnu-hpc-4.7.3-3.7.2, netcdf_4_7_3-gnu-mpich-hpc-4.7.3-3.7.2, netcdf_4_7_3-gnu-mvapich2-hpc-4.7.3-3.7.2, netcdf_4_7_3-gnu-openmpi2-hpc-4.7.3-3.7.2, netcdf_4_7_3-gnu-openmpi3-hpc-4.7.3-3.7.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2021-11-25 17:25:46 UTC
SUSE-SU-2021:3804-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1191856
CVE References: CVE-2019-20005,CVE-2019-20006,CVE-2019-20007,CVE-2019-20198,CVE-2019-20199,CVE-2019-20200,CVE-2019-20201,CVE-2019-20202,CVE-2021-26220,CVE-2021-26221,CVE-2021-26222,CVE-2021-30485,CVE-2021-31229,CVE-2021-31347,CVE-2021-31348,CVE-2021-31598
JIRA References: 
Sources used:
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    netcdf_4_6_1-gnu-hpc-4.6.1-5.7.1, netcdf_4_6_1-gnu-mpich-hpc-4.6.1-5.7.1, netcdf_4_6_1-gnu-mvapich2-hpc-4.6.1-5.7.1, netcdf_4_6_1-gnu-openmpi2-hpc-4.6.1-5.7.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    netcdf_4_6_1-gnu-hpc-4.6.1-5.7.1, netcdf_4_6_1-gnu-mpich-hpc-4.6.1-5.7.1, netcdf_4_6_1-gnu-mvapich2-hpc-4.6.1-5.7.1, netcdf_4_6_1-gnu-openmpi2-hpc-4.6.1-5.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2021-11-25 17:38:59 UTC
openSUSE-SU-2021:3804-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1191856
CVE References: CVE-2019-20005,CVE-2019-20006,CVE-2019-20007,CVE-2019-20198,CVE-2019-20199,CVE-2019-20200,CVE-2019-20201,CVE-2019-20202,CVE-2021-26220,CVE-2021-26221,CVE-2021-26222,CVE-2021-30485,CVE-2021-31229,CVE-2021-31347,CVE-2021-31348,CVE-2021-31598
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    netcdf-4.6.1-5.7.1, netcdf-openmpi-4.6.1-5.7.1
Comment 11 Swamp Workflow Management 2021-11-25 17:40:19 UTC
openSUSE-SU-2021:3805-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1191856
CVE References: CVE-2019-20005,CVE-2019-20006,CVE-2019-20007,CVE-2019-20198,CVE-2019-20199,CVE-2019-20200,CVE-2019-20201,CVE-2019-20202,CVE-2021-26220,CVE-2021-26221,CVE-2021-26222,CVE-2021-30485,CVE-2021-31229,CVE-2021-31347,CVE-2021-31348,CVE-2021-31598
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    netcdf_4_7_3-gnu-hpc-4.7.3-3.7.2, netcdf_4_7_3-gnu-mpich-hpc-4.7.3-3.7.2, netcdf_4_7_3-gnu-mvapich2-hpc-4.7.3-3.7.2, netcdf_4_7_3-gnu-openmpi2-hpc-4.7.3-3.7.2, netcdf_4_7_3-gnu-openmpi3-hpc-4.7.3-3.7.2
Comment 12 Swamp Workflow Management 2021-11-26 14:17:38 UTC
openSUSE-SU-2021:1505-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1191856
CVE References: CVE-2019-20005,CVE-2019-20006,CVE-2019-20007,CVE-2019-20198,CVE-2019-20199,CVE-2019-20200,CVE-2019-20201,CVE-2019-20202,CVE-2021-26220,CVE-2021-26221,CVE-2021-26222,CVE-2021-30485,CVE-2021-31229,CVE-2021-31347,CVE-2021-31348,CVE-2021-31598
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    netcdf_4_7_3-gnu-hpc-4.7.3-lp152.2.6.1, netcdf_4_7_3-gnu-mpich-hpc-4.7.3-lp152.2.6.1, netcdf_4_7_3-gnu-mvapich2-hpc-4.7.3-lp152.2.6.1, netcdf_4_7_3-gnu-openmpi2-hpc-4.7.3-lp152.2.6.1, netcdf_4_7_3-gnu-openmpi3-hpc-4.7.3-lp152.2.6.1
Comment 13 Swamp Workflow Management 2021-11-30 14:17:38 UTC
SUSE-SU-2021:3815-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1191856
CVE References: CVE-2019-20005,CVE-2019-20006,CVE-2019-20007,CVE-2019-20198,CVE-2019-20199,CVE-2019-20200,CVE-2019-20201,CVE-2019-20202,CVE-2021-26220,CVE-2021-26221,CVE-2021-26222,CVE-2021-30485,CVE-2021-31229,CVE-2021-31347,CVE-2021-31348,CVE-2021-31598
JIRA References: 
Sources used:
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    netcdf_4_6_1-gnu-hpc-4.6.1-10.7.2, netcdf_4_6_1-gnu-mpich-hpc-4.6.1-10.7.2, netcdf_4_6_1-gnu-mvapich2-hpc-4.6.1-10.7.2, netcdf_4_6_1-gnu-openmpi2-hpc-4.6.1-10.7.2
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    netcdf_4_6_1-gnu-hpc-4.6.1-10.7.2, netcdf_4_6_1-gnu-mpich-hpc-4.6.1-10.7.2, netcdf_4_6_1-gnu-mvapich2-hpc-4.6.1-10.7.2, netcdf_4_6_1-gnu-openmpi2-hpc-4.6.1-10.7.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2021-11-30 14:18:58 UTC
openSUSE-SU-2021:3815-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1191856
CVE References: CVE-2019-20005,CVE-2019-20006,CVE-2019-20007,CVE-2019-20198,CVE-2019-20199,CVE-2019-20200,CVE-2019-20201,CVE-2019-20202,CVE-2021-26220,CVE-2021-26221,CVE-2021-26222,CVE-2021-30485,CVE-2021-31229,CVE-2021-31347,CVE-2021-31348,CVE-2021-31598
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    netcdf_4_6_1-gnu-hpc-4.6.1-10.7.2, netcdf_4_6_1-gnu-mpich-hpc-4.6.1-10.7.2, netcdf_4_6_1-gnu-mvapich2-hpc-4.6.1-10.7.2, netcdf_4_6_1-gnu-openmpi1-hpc-4.6.1-10.7.2, netcdf_4_6_1-gnu-openmpi2-hpc-4.6.1-10.7.2
Comment 15 Swamp Workflow Management 2021-12-02 11:46:26 UTC
SUSE-SU-2021:3873-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1191856
CVE References: CVE-2019-20005,CVE-2019-20006,CVE-2019-20007,CVE-2019-20198,CVE-2019-20199,CVE-2019-20200,CVE-2019-20201,CVE-2019-20202,CVE-2021-26220,CVE-2021-26221,CVE-2021-26222,CVE-2021-30485,CVE-2021-31229,CVE-2021-31347,CVE-2021-31348,CVE-2021-31598
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src):    netcdf_4_7_4-gnu-hpc-4.7.4-4.3.2, netcdf_4_7_4-gnu-mpich-hpc-4.7.4-4.3.2, netcdf_4_7_4-gnu-mvapich2-hpc-4.7.4-4.3.2, netcdf_4_7_4-gnu-openmpi3-hpc-4.7.4-4.3.2, netcdf_4_7_4-gnu-openmpi4-hpc-4.7.4-4.3.2
SUSE Linux Enterprise Module for HPC 15-SP3 (src):    netcdf_4_7_4-gnu-hpc-4.7.4-4.3.2, netcdf_4_7_4-gnu-mpich-hpc-4.7.4-4.3.2, netcdf_4_7_4-gnu-mvapich2-hpc-4.7.4-4.3.2, netcdf_4_7_4-gnu-openmpi3-hpc-4.7.4-4.3.2, netcdf_4_7_4-gnu-openmpi4-hpc-4.7.4-4.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2021-12-02 12:04:57 UTC
openSUSE-SU-2021:3873-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1191856
CVE References: CVE-2019-20005,CVE-2019-20006,CVE-2019-20007,CVE-2019-20198,CVE-2019-20199,CVE-2019-20200,CVE-2019-20201,CVE-2019-20202,CVE-2021-26220,CVE-2021-26221,CVE-2021-26222,CVE-2021-30485,CVE-2021-31229,CVE-2021-31347,CVE-2021-31348,CVE-2021-31598
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    netcdf-4.7.4-4.3.2, netcdf-openmpi2-4.7.4-4.3.2, netcdf-openmpi3-4.7.4-4.3.2, netcdf-openmpi4-4.7.4-4.3.2, netcdf_4_7_4-gnu-hpc-4.7.4-4.3.2, netcdf_4_7_4-gnu-mpich-hpc-4.7.4-4.3.2, netcdf_4_7_4-gnu-mvapich2-hpc-4.7.4-4.3.2, netcdf_4_7_4-gnu-openmpi2-hpc-4.7.4-4.3.2, netcdf_4_7_4-gnu-openmpi3-hpc-4.7.4-4.3.2, netcdf_4_7_4-gnu-openmpi4-hpc-4.7.4-4.3.2
Comment 17 Egbert Eich 2022-05-04 12:17:29 UTC
Released.