Bugzilla – Bug 1185408
VUL-0: CVE-2021-3518: libxml2: use-after-free in xmlXIncludeDoProcess() in xinclude.c
Last modified: 2022-11-29 15:56:25 UTC
rh#1954242 An use-after-free was found in libxml2 in xmlXIncludeDoProcess() in xinclude.c when processing crafted files. Reference: https://gitlab.gnome.org/GNOME/libxml2/-/issues/237 Upstream patch: https://gitlab.gnome.org/GNOME/libxml2/-/commit/1098c30a040e72a4654968547f415be4e4c40fe7 References: https://bugzilla.redhat.com/show_bug.cgi?id=1954242 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3518
tracking as affected: - SUSE:SLE-11-SP1:Update/libxml2 - SUSE:SLE-12-SP2:Update/libxml2 - SUSE:SLE-15:Update/libxml2
Created attachment 848850 [details] POC from https://gitlab.gnome.org/GNOME/libxml2/-/issues/237 All codestreams affected: germ204:/usr/src/packages # ./BUILD/libxml2-2.9.7/xmllint --recover --dropdtd --nofixup-base-uris poc3 ================================================================= ==16662==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000000048 at pc 0x7fcad027acd0 bp 0x7ffe30a3af30 sp 0x7ffe30a3af28 READ of size 4 at 0x60d000000048 thread T0 #0 0x7fcad027accf in xmlXIncludeDoProcess /usr/src/packages/BUILD/libxml2-2.9.7/xinclude.c:2388 #1 0x7fcad027affc in xmlXIncludeProcessTreeFlagsData__internal_alias /usr/src/packages/BUILD/libxml2-2.9.7/xinclude.c:2491 #2 0x40a93f in parseAndPrintFile /usr/src/packages/BUILD/libxml2-2.9.7/xmllint.c:2433 #3 0x406afd in main /usr/src/packages/BUILD/libxml2-2.9.7/xmllint.c:3757 #4 0x7fcacf5ad349 in __libc_start_main (/lib64/libc.so.6+0x24349) #5 0x408789 in _start (/usr/src/packages/BUILD/libxml2-2.9.7/.libs/xmllint+0x408789) 0x60d000000048 is located 8 bytes inside of 136-byte region [0x60d000000040,0x60d0000000c8) freed by thread T0 here: #0 0x7fcad0deb1a8 in __interceptor_free (/usr/lib64/libasan.so.4+0xdc1a8) #1 0x7fcad01dd462 in xmlHashFree__internal_alias /usr/src/packages/BUILD/libxml2-2.9.7/hash.c:339 previously allocated by thread T0 here: #0 0x7fcad0deb500 in malloc (/usr/lib64/libasan.so.4+0xdc500) #1 0x7fcad015e4f3 in xmlCreateEntity /usr/src/packages/BUILD/libxml2-2.9.7/entities.c:159 SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/packages/BUILD/libxml2-2.9.7/xinclude.c:2388 in xmlXIncludeDoProcess Shadow bytes around the buggy address: 0x0c1a7fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c1a7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c1a7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c1a7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c1a7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c1a7fff8000: fa fa fa fa fa fa fa fa fd[fd]fd fd fd fd fd fd 0x0c1a7fff8010: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa 0x0c1a7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1a7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1a7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1a7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==16662==ABORTING
Factory submission: https://build.opensuse.org/request/show/889099
SUSE-SU-2021:1523-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1185408,1185409,1185410 CVE References: CVE-2021-3516,CVE-2021-3517,CVE-2021-3518 JIRA References: Sources used: SUSE MicroOS 5.0 (src): libxml2-2.9.7-3.31.1 SUSE Linux Enterprise Module for Python2 15-SP3 (src): python-libxml2-python-2.9.7-3.31.1 SUSE Linux Enterprise Module for Python2 15-SP2 (src): python-libxml2-python-2.9.7-3.31.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): libxml2-2.9.7-3.31.1, python-libxml2-python-2.9.7-3.31.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): libxml2-2.9.7-3.31.1, python-libxml2-python-2.9.7-3.31.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:1524-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1185408,1185409,1185410 CVE References: CVE-2021-3516,CVE-2021-3517,CVE-2021-3518 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): libxml2-2.9.4-46.40.1 SUSE Linux Enterprise Server 12-SP5 (src): libxml2-2.9.4-46.40.1, python-libxml2-2.9.4-46.40.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:0692-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1185408,1185409,1185410 CVE References: CVE-2021-3516,CVE-2021-3517,CVE-2021-3518 JIRA References: Sources used: openSUSE Leap 15.2 (src): libxml2-2.9.7-lp152.10.9.1, python-libxml2-python-2.9.7-lp152.10.9.1
SUSE-SU-2021:1654-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1185408,1185409,1185410,1185698 CVE References: CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3537 JIRA References: Sources used: SUSE MicroOS 5.0 (src): libxml2-2.9.7-3.34.1 SUSE Linux Enterprise Module for Python2 15-SP3 (src): python-libxml2-python-2.9.7-3.34.1 SUSE Linux Enterprise Module for Python2 15-SP2 (src): python-libxml2-python-2.9.7-3.34.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): libxml2-2.9.7-3.34.1, python-libxml2-python-2.9.7-3.34.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): libxml2-2.9.7-3.34.1, python-libxml2-python-2.9.7-3.34.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:14729-1: An update that fixes 9 vulnerabilities is now available. Category: security (important) Bug References: 1159928,1161517,1161521,1176179,1185408,1185409,1185410,1185698 CVE References: CVE-2014-0191,CVE-2019-19956,CVE-2019-20388,CVE-2020-24977,CVE-2020-7595,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3537 JIRA References: Sources used: SUSE Linux Enterprise Server 11-SP4-LTSS (src): libxml2-2.7.6-0.77.36.1, libxml2-python-2.7.6-0.77.36.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): libxml2-2.7.6-0.77.36.1, libxml2-python-2.7.6-0.77.36.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): libxml2-2.7.6-0.77.36.1, libxml2-python-2.7.6-0.77.36.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): libxml2-2.7.6-0.77.36.1, libxml2-python-2.7.6-0.77.36.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:1658-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1185408,1185409,1185410,1185698 CVE References: CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3537 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): libxml2-2.9.4-46.43.1, python-libxml2-2.9.4-46.43.1 SUSE OpenStack Cloud Crowbar 8 (src): libxml2-2.9.4-46.43.1, python-libxml2-2.9.4-46.43.1 SUSE OpenStack Cloud 9 (src): libxml2-2.9.4-46.43.1, python-libxml2-2.9.4-46.43.1 SUSE OpenStack Cloud 8 (src): libxml2-2.9.4-46.43.1, python-libxml2-2.9.4-46.43.1 SUSE Linux Enterprise Software Development Kit 12-SP5 (src): libxml2-2.9.4-46.43.1 SUSE Linux Enterprise Server for SAP 12-SP4 (src): libxml2-2.9.4-46.43.1, python-libxml2-2.9.4-46.43.1 SUSE Linux Enterprise Server for SAP 12-SP3 (src): libxml2-2.9.4-46.43.1, python-libxml2-2.9.4-46.43.1 SUSE Linux Enterprise Server 12-SP5 (src): libxml2-2.9.4-46.43.1, python-libxml2-2.9.4-46.43.1 SUSE Linux Enterprise Server 12-SP4-LTSS (src): libxml2-2.9.4-46.43.1, python-libxml2-2.9.4-46.43.1 SUSE Linux Enterprise Server 12-SP3-LTSS (src): libxml2-2.9.4-46.43.1, python-libxml2-2.9.4-46.43.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): libxml2-2.9.4-46.43.1, python-libxml2-2.9.4-46.43.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): libxml2-2.9.4-46.43.1, python-libxml2-2.9.4-46.43.1 HPE Helion Openstack 8 (src): libxml2-2.9.4-46.43.1, python-libxml2-2.9.4-46.43.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:0764-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1185408,1185409,1185410,1185698 CVE References: CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3537 JIRA References: Sources used: openSUSE Leap 15.2 (src): libxml2-2.9.7-lp152.10.12.1, python-libxml2-python-2.9.7-lp152.10.12.1