Bug 1185408 - (CVE-2021-3518) VUL-0: CVE-2021-3518: libxml2: use-after-free in xmlXIncludeDoProcess() in xinclude.c
(CVE-2021-3518)
VUL-0: CVE-2021-3518: libxml2: use-after-free in xmlXIncludeDoProcess() in xi...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/282975/
CVSSv3.1:SUSE:CVE-2021-3518:5.9:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-04-28 12:45 UTC by Robert Frohl
Modified: 2022-11-29 15:56 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
POC from https://gitlab.gnome.org/GNOME/libxml2/-/issues/237 (166 bytes, patch)
2021-04-28 17:53 UTC, Pedro Monreal Gonzalez
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2021-04-28 12:45:34 UTC
rh#1954242

An use-after-free was found in libxml2 in xmlXIncludeDoProcess() in xinclude.c when processing crafted files.

Reference:
https://gitlab.gnome.org/GNOME/libxml2/-/issues/237

Upstream patch:
https://gitlab.gnome.org/GNOME/libxml2/-/commit/1098c30a040e72a4654968547f415be4e4c40fe7

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1954242
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3518
Comment 1 Robert Frohl 2021-04-28 12:46:44 UTC
tracking as affected:

- SUSE:SLE-11-SP1:Update/libxml2
- SUSE:SLE-12-SP2:Update/libxml2
- SUSE:SLE-15:Update/libxml2
Comment 2 Pedro Monreal Gonzalez 2021-04-28 17:53:58 UTC
Created attachment 848850 [details]
POC from https://gitlab.gnome.org/GNOME/libxml2/-/issues/237

All codestreams affected:

germ204:/usr/src/packages # ./BUILD/libxml2-2.9.7/xmllint --recover --dropdtd --nofixup-base-uris poc3
=================================================================
==16662==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000000048 at pc 0x7fcad027acd0 bp 0x7ffe30a3af30 sp 0x7ffe30a3af28
READ of size 4 at 0x60d000000048 thread T0
    #0 0x7fcad027accf in xmlXIncludeDoProcess /usr/src/packages/BUILD/libxml2-2.9.7/xinclude.c:2388
    #1 0x7fcad027affc in xmlXIncludeProcessTreeFlagsData__internal_alias /usr/src/packages/BUILD/libxml2-2.9.7/xinclude.c:2491
    #2 0x40a93f in parseAndPrintFile /usr/src/packages/BUILD/libxml2-2.9.7/xmllint.c:2433
    #3 0x406afd in main /usr/src/packages/BUILD/libxml2-2.9.7/xmllint.c:3757
    #4 0x7fcacf5ad349 in __libc_start_main (/lib64/libc.so.6+0x24349)
    #5 0x408789 in _start (/usr/src/packages/BUILD/libxml2-2.9.7/.libs/xmllint+0x408789)

0x60d000000048 is located 8 bytes inside of 136-byte region [0x60d000000040,0x60d0000000c8)
freed by thread T0 here:
    #0 0x7fcad0deb1a8 in __interceptor_free (/usr/lib64/libasan.so.4+0xdc1a8)
    #1 0x7fcad01dd462 in xmlHashFree__internal_alias /usr/src/packages/BUILD/libxml2-2.9.7/hash.c:339

previously allocated by thread T0 here:
    #0 0x7fcad0deb500 in malloc (/usr/lib64/libasan.so.4+0xdc500)
    #1 0x7fcad015e4f3 in xmlCreateEntity /usr/src/packages/BUILD/libxml2-2.9.7/entities.c:159

SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/packages/BUILD/libxml2-2.9.7/xinclude.c:2388 in xmlXIncludeDoProcess
Shadow bytes around the buggy address:
  0x0c1a7fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1a7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1a7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1a7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1a7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c1a7fff8000: fa fa fa fa fa fa fa fa fd[fd]fd fd fd fd fd fd
  0x0c1a7fff8010: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0c1a7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==16662==ABORTING
Comment 3 Pedro Monreal Gonzalez 2021-04-28 18:05:29 UTC
Factory submission:
   https://build.opensuse.org/request/show/889099
Comment 6 Swamp Workflow Management 2021-05-05 19:25:25 UTC
SUSE-SU-2021:1523-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1185408,1185409,1185410
CVE References: CVE-2021-3516,CVE-2021-3517,CVE-2021-3518
JIRA References: 
Sources used:
SUSE MicroOS 5.0 (src):    libxml2-2.9.7-3.31.1
SUSE Linux Enterprise Module for Python2 15-SP3 (src):    python-libxml2-python-2.9.7-3.31.1
SUSE Linux Enterprise Module for Python2 15-SP2 (src):    python-libxml2-python-2.9.7-3.31.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    libxml2-2.9.7-3.31.1, python-libxml2-python-2.9.7-3.31.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    libxml2-2.9.7-3.31.1, python-libxml2-python-2.9.7-3.31.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2021-05-05 19:26:40 UTC
SUSE-SU-2021:1524-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1185408,1185409,1185410
CVE References: CVE-2021-3516,CVE-2021-3517,CVE-2021-3518
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    libxml2-2.9.4-46.40.1
SUSE Linux Enterprise Server 12-SP5 (src):    libxml2-2.9.4-46.40.1, python-libxml2-2.9.4-46.40.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2021-05-09 07:14:58 UTC
openSUSE-SU-2021:0692-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1185408,1185409,1185410
CVE References: CVE-2021-3516,CVE-2021-3517,CVE-2021-3518
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    libxml2-2.9.7-lp152.10.9.1, python-libxml2-python-2.9.7-lp152.10.9.1
Comment 10 Swamp Workflow Management 2021-05-19 19:17:32 UTC
SUSE-SU-2021:1654-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1185408,1185409,1185410,1185698
CVE References: CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3537
JIRA References: 
Sources used:
SUSE MicroOS 5.0 (src):    libxml2-2.9.7-3.34.1
SUSE Linux Enterprise Module for Python2 15-SP3 (src):    python-libxml2-python-2.9.7-3.34.1
SUSE Linux Enterprise Module for Python2 15-SP2 (src):    python-libxml2-python-2.9.7-3.34.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    libxml2-2.9.7-3.34.1, python-libxml2-python-2.9.7-3.34.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    libxml2-2.9.7-3.34.1, python-libxml2-python-2.9.7-3.34.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2021-05-19 19:20:23 UTC
SUSE-SU-2021:14729-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 1159928,1161517,1161521,1176179,1185408,1185409,1185410,1185698
CVE References: CVE-2014-0191,CVE-2019-19956,CVE-2019-20388,CVE-2020-24977,CVE-2020-7595,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3537
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    libxml2-2.7.6-0.77.36.1, libxml2-python-2.7.6-0.77.36.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    libxml2-2.7.6-0.77.36.1, libxml2-python-2.7.6-0.77.36.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    libxml2-2.7.6-0.77.36.1, libxml2-python-2.7.6-0.77.36.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    libxml2-2.7.6-0.77.36.1, libxml2-python-2.7.6-0.77.36.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2021-05-19 19:22:25 UTC
SUSE-SU-2021:1658-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1185408,1185409,1185410,1185698
CVE References: CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3537
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    libxml2-2.9.4-46.43.1, python-libxml2-2.9.4-46.43.1
SUSE OpenStack Cloud Crowbar 8 (src):    libxml2-2.9.4-46.43.1, python-libxml2-2.9.4-46.43.1
SUSE OpenStack Cloud 9 (src):    libxml2-2.9.4-46.43.1, python-libxml2-2.9.4-46.43.1
SUSE OpenStack Cloud 8 (src):    libxml2-2.9.4-46.43.1, python-libxml2-2.9.4-46.43.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    libxml2-2.9.4-46.43.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    libxml2-2.9.4-46.43.1, python-libxml2-2.9.4-46.43.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    libxml2-2.9.4-46.43.1, python-libxml2-2.9.4-46.43.1
SUSE Linux Enterprise Server 12-SP5 (src):    libxml2-2.9.4-46.43.1, python-libxml2-2.9.4-46.43.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    libxml2-2.9.4-46.43.1, python-libxml2-2.9.4-46.43.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    libxml2-2.9.4-46.43.1, python-libxml2-2.9.4-46.43.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    libxml2-2.9.4-46.43.1, python-libxml2-2.9.4-46.43.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    libxml2-2.9.4-46.43.1, python-libxml2-2.9.4-46.43.1
HPE Helion Openstack 8 (src):    libxml2-2.9.4-46.43.1, python-libxml2-2.9.4-46.43.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2021-05-22 10:19:32 UTC
openSUSE-SU-2021:0764-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1185408,1185409,1185410,1185698
CVE References: CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3537
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    libxml2-2.9.7-lp152.10.12.1, python-libxml2-python-2.9.7-lp152.10.12.1