Bugzilla – Bug 1139937
VUL-0: CVE-2018-20843: expat: large number of colons in input makes parser consume high amount of resources
Last modified: 2021-09-08 10:35:09 UTC
CVE-2018-20843 In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks). External References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931031 Upstream Issue: https://github.com/libexpat/libexpat/issues/186 References: https://bugzilla.redhat.com/show_bug.cgi?id=1723723 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5226 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-20843 http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20843.html http://www.debian.org/security/2019/dsa-4472 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931031 https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes https://github.com/libexpat/libexpat/issues/186 https://github.com/libexpat/libexpat/pull/262 https://github.com/libexpat/libexpat/pull/262/commits/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6
All codestreams seem affected. Tried to reproduce the issue in Leap 15 and SLE12-sp4 by running: valgrind xmlwf clusterfuzz-testcase-4543406568112128.txt ==16501== Memcheck, a memory error detector ==16501== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==16501== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info ==16501== Command: xmlwf clusterfuzz-testcase-4543406568112128.txt ==16501== clusterfuzz-testcase-4543406568112128.txt:1:88403: no element found ==16501== ==16501== HEAP SUMMARY: ==16501== in use at exit: 0 bytes in 0 blocks ==16501== total heap usage: 108,147 allocs, 108,147 frees, 3,195,441,732 bytes allocated ==16501== ==16501== All heap blocks were freed -- no leaks are possible ==16501== ==16501== For counts of detected and suppressed errors, rerun with: -v ==16501== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) As you can see 3GBs are allocated. The POC is attached. The version 2.2.7 will contain the fix. The fix is also available at [1]. [1] https://github.com/libexpat/libexpat/commit/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6
Created attachment 809039 [details] POC
The patch fixes the issue, see that now allocates much less memory. Tested in SLE-15 and Factory: # valgrind xmlwf clusterfuzz-testcase-4543406568112128.txt ==3980== Memcheck, a memory error detector ==3980== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==3980== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info ==3980== Command: xmlwf clusterfuzz-testcase-4543406568112128.txt ==3980== clusterfuzz-testcase-4543406568112128.txt:1:88403: no element found ==3980== ==3980== HEAP SUMMARY: ==3980== in use at exit: 0 bytes in 0 blocks ==3980== total heap usage: 19 allocs, 19 frees, 398,252 bytes allocated ==3980== ==3980== All heap blocks were freed -- no leaks are possible ==3980== ==3980== For counts of detected and suppressed errors, rerun with: -v ==3980== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) I'll submit now.
Updated to version 2.2.7 in Factory: https://build.opensuse.org/request/show/713044
This is an autogenerated message for OBS integration: This bug (1139937) was mentioned in https://build.opensuse.org/request/show/713395 Factory / expat
SUSE-SU-2019:1835-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1139937 CVE References: CVE-2018-20843 Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): expat-2.2.5-3.3.1 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): expat-2.2.5-3.3.1 SUSE Linux Enterprise Module for Basesystem 15 (src): expat-2.2.5-3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:1834-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1139937 CVE References: CVE-2018-20843 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP4 (src): expat-2.1.0-21.6.1 SUSE Linux Enterprise Server 12-SP4 (src): expat-2.1.0-21.6.1 SUSE Linux Enterprise Desktop 12-SP4 (src): expat-2.1.0-21.6.1 SUSE CaaS Platform 3.0 (src): expat-2.1.0-21.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2019-08-01. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64319
openSUSE-SU-2019:1777-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1139937 CVE References: CVE-2018-20843 Sources used: openSUSE Leap 15.1 (src): expat-2.2.5-lp151.3.3.1 openSUSE Leap 15.0 (src): expat-2.2.5-lp150.2.3.1
Done