Bug 1149429 - (CVE-2019-15903) VUL-0: CVE-2019-15903: expat: crafted XML input results in heap-based buffer over-read by fooling the parser into changing from DTD parsing to document parsing
(CVE-2019-15903)
VUL-0: CVE-2019-15903: expat: crafted XML input results in heap-based buffer ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/241723/
CVSSv3.1:SUSE:CVE-2019-15903:7.5:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-09-04 14:46 UTC by Alexandros Toptsoglou
Modified: 2022-08-03 12:02 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
POC (680 bytes, text/x-csrc)
2019-09-04 16:37 UTC, Alexandros Toptsoglou
Details
Backported patch for SLE-15 (3.66 KB, patch)
2019-09-04 17:21 UTC, Pedro Monreal Gonzalez
Details | Diff
Backported tests patch for SLE-15 (3.48 KB, patch)
2019-09-04 17:23 UTC, Pedro Monreal Gonzalez
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2019-09-04 14:46:43 UTC
CVE-2019-15903

In libexpat before 2.2.8, crafted XML input could fool the parser into changing
from DTD parsing to document parsing too early; a consecutive call to
XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a
heap-based buffer over-read.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-15903
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15903
https://github.com/libexpat/libexpat/commit/c20b758c332d9a13afbbb276d30db1d183a85d43
https://github.com/libexpat/libexpat/pull/318
https://github.com/libexpat/libexpat/issues/317
Comment 1 Alexandros Toptsoglou 2019-09-04 16:37:31 UTC
The fix is available at [1]. A new version is comming soon that will also include the fix. 
I attempted successfully to reproduce the issue at SLE15 and SLE11. 
Tracked as affected: 
SUSE:SLE-10-SP3:Update 
SUSE:SLE-11:Update 
SUSE:SLE-12:Update 
SUSE:SLE-15:Update 

To reproduce the issue simply:

1) gcc -lexpat $POC -o bug
2) valgrind ./bug

OUTPUT: 

==31073== Use of uninitialised value of size 8
==31073==    at 0x4E4B97B: normal_updatePosition (xmltok_impl.c:1725)
==31073==    by 0x4E49CE4: XML_GetCurrentLineNumber (xmlparse.c:2244)
==31073==    by 0x400846: main (in /home/alex/Downloads/expat/bug)
==31073== 
==31073== Invalid read of size 1
==31073==    at 0x4E4B978: normal_updatePosition (xmltok_impl.c:1725)
==31073==    by 0x4E49CE4: XML_GetCurrentLineNumber (xmlparse.c:2244)
==31073==    by 0x400846: main (in /home/alex/Downloads/expat/bug)
==31073==  Address 0x5428450 is 0 bytes after a block of size 2,048 alloc'd
==31073==    at 0x4C2E2DF: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31073==    by 0x4E49745: XML_GetBuffer (xmlparse.c:2072)
==31073==    by 0x4E499C9: XML_Parse (xmlparse.c:1942)
==31073==    by 0x400832: main (in /home/alex/Downloads/expat/bug)

More info for the reproducing steps at [2] 


[1] https://github.com/libexpat/libexpat/pull/318/commits
[2] https://github.com/libexpat/libexpat/issues/317
Comment 2 Alexandros Toptsoglou 2019-09-04 16:37:56 UTC
Created attachment 816880 [details]
POC
Comment 3 Pedro Monreal Gonzalez 2019-09-04 17:21:56 UTC
Created attachment 816884 [details]
Backported patch for SLE-15

After applying the patch:

==12439== HEAP SUMMARY:
==12439==     in use at exit: 22,862 bytes in 17 blocks
==12439==   total heap usage: 66 allocs, 49 frees, 69,998 bytes allocated
==12439== 
==12439== LEAK SUMMARY:
==12439==    definitely lost: 0 bytes in 0 blocks
==12439==    indirectly lost: 0 bytes in 0 blocks
==12439==      possibly lost: 0 bytes in 0 blocks
==12439==    still reachable: 22,862 bytes in 17 blocks
==12439==         suppressed: 0 bytes in 0 blocks
Comment 4 Pedro Monreal Gonzalez 2019-09-04 17:23:19 UTC
Created attachment 816885 [details]
Backported tests patch for SLE-15
Comment 5 Pedro Monreal Gonzalez 2019-09-04 17:24:23 UTC
Thanks for the detailed description! I'll update Factory to version 2.2.8 once released.
Comment 8 Swamp Workflow Management 2019-09-06 13:06:24 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2019-09-20.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64351
Comment 11 Swamp Workflow Management 2019-09-23 13:13:52 UTC
SUSE-SU-2019:2429-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1149429
CVE References: CVE-2019-15903
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    expat-2.2.5-3.6.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    expat-2.2.5-3.6.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    expat-2.2.5-3.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2019-09-23 19:10:40 UTC
SUSE-SU-2019:2440-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1149429
CVE References: CVE-2019-15903
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    expat-2.1.0-21.9.1
SUSE Linux Enterprise Server 12-SP4 (src):    expat-2.1.0-21.9.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    expat-2.1.0-21.9.1
SUSE CaaS Platform 3.0 (src):    expat-2.1.0-21.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2019-09-28 16:15:56 UTC
openSUSE-SU-2019:2204-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1149429
CVE References: CVE-2019-15903
Sources used:
openSUSE Leap 15.0 (src):    expat-2.2.5-lp150.2.6.1
Comment 14 Swamp Workflow Management 2019-09-28 16:16:29 UTC
openSUSE-SU-2019:2205-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1149429
CVE References: CVE-2019-15903
Sources used:
openSUSE Leap 15.1 (src):    expat-2.2.5-lp151.3.6.1
Comment 16 Swamp Workflow Management 2019-10-31 11:19:48 UTC
SUSE-SU-2019:2872-1: An update that fixes 51 vulnerabilities is now available.

Category: security (important)
Bug References: 1010399,1010405,1010406,1010408,1010409,1010421,1010423,1010424,1010425,1010426,1025108,1043008,1047281,1074235,1092611,1120374,1137990,1149429,1154738,959933,983922
CVE References: CVE-2016-2830,CVE-2016-5289,CVE-2016-5292,CVE-2016-9063,CVE-2016-9067,CVE-2016-9068,CVE-2016-9069,CVE-2016-9071,CVE-2016-9073,CVE-2016-9075,CVE-2016-9076,CVE-2016-9077,CVE-2017-7789,CVE-2018-5150,CVE-2018-5151,CVE-2018-5152,CVE-2018-5153,CVE-2018-5154,CVE-2018-5155,CVE-2018-5157,CVE-2018-5158,CVE-2018-5159,CVE-2018-5160,CVE-2018-5163,CVE-2018-5164,CVE-2018-5165,CVE-2018-5166,CVE-2018-5167,CVE-2018-5168,CVE-2018-5169,CVE-2018-5172,CVE-2018-5173,CVE-2018-5174,CVE-2018-5175,CVE-2018-5176,CVE-2018-5177,CVE-2018-5178,CVE-2018-5179,CVE-2018-5180,CVE-2018-5181,CVE-2018-5182,CVE-2018-5183,CVE-2019-11757,CVE-2019-11758,CVE-2019-11759,CVE-2019-11760,CVE-2019-11761,CVE-2019-11762,CVE-2019-11763,CVE-2019-11764,CVE-2019-15903
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    MozillaFirefox-68.2.0-109.95.2
SUSE OpenStack Cloud 8 (src):    MozillaFirefox-68.2.0-109.95.2
SUSE OpenStack Cloud 7 (src):    MozillaFirefox-68.2.0-109.95.2
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    MozillaFirefox-68.2.0-109.95.2
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    MozillaFirefox-68.2.0-109.95.2
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    MozillaFirefox-68.2.0-109.95.2
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    MozillaFirefox-68.2.0-109.95.2
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    MozillaFirefox-68.2.0-109.95.2
SUSE Linux Enterprise Server 12-SP5 (src):    MozillaFirefox-68.2.0-109.95.2
SUSE Linux Enterprise Server 12-SP4 (src):    MozillaFirefox-68.2.0-109.95.2
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    MozillaFirefox-68.2.0-109.95.2
SUSE Linux Enterprise Server 12-SP3-BCL (src):    MozillaFirefox-68.2.0-109.95.2
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    MozillaFirefox-68.2.0-109.95.2
SUSE Linux Enterprise Server 12-SP2-BCL (src):    MozillaFirefox-68.2.0-109.95.2
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    MozillaFirefox-68.2.0-109.95.2
SUSE Linux Enterprise Desktop 12-SP4 (src):    MozillaFirefox-68.2.0-109.95.2
SUSE Enterprise Storage 5 (src):    MozillaFirefox-68.2.0-109.95.2
HPE Helion Openstack 8 (src):    MozillaFirefox-68.2.0-109.95.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2019-10-31 11:23:21 UTC
SUSE-SU-2019:2871-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 1104841,1129528,1137990,1149429,1151186,1153423,1153869,1154738
CVE References: CVE-2019-11757,CVE-2019-11758,CVE-2019-11759,CVE-2019-11760,CVE-2019-11761,CVE-2019-11762,CVE-2019-11763,CVE-2019-11764,CVE-2019-15903
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    MozillaFirefox-68.2.0-3.59.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    MozillaFirefox-68.2.0-3.59.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    MozillaFirefox-68.2.0-3.59.1, MozillaFirefox-branding-SLE-68-4.11.2
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    MozillaFirefox-68.2.0-3.59.1, MozillaFirefox-branding-SLE-68-4.11.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2019-11-07 14:15:03 UTC
SUSE-SU-2019:2912-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 1149126,1149429,1151186,1152778,1153879,1154738
CVE References: CVE-2019-11757,CVE-2019-11758,CVE-2019-11759,CVE-2019-11760,CVE-2019-11761,CVE-2019-11762,CVE-2019-11763,CVE-2019-11764,CVE-2019-15903
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP1 (src):    MozillaThunderbird-68.2.1-3.58.1
SUSE Linux Enterprise Workstation Extension 15 (src):    MozillaThunderbird-68.2.1-3.58.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Swamp Workflow Management 2019-11-09 17:16:18 UTC
openSUSE-SU-2019:2451-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 1104841,1129528,1137990,1149429,1151186,1153423,1153869,1154738
CVE References: CVE-2019-11757,CVE-2019-11758,CVE-2019-11759,CVE-2019-11760,CVE-2019-11761,CVE-2019-11762,CVE-2019-11763,CVE-2019-11764,CVE-2019-15903
Sources used:
openSUSE Leap 15.1 (src):    MozillaFirefox-68.2.0-lp151.2.18.2, MozillaFirefox-branding-openSUSE-68-lp151.3.3.1, firefox-esr-branding-openSUSE-68-lp151.3.3.1
Comment 20 Swamp Workflow Management 2019-11-09 17:17:37 UTC
openSUSE-SU-2019:2459-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 1104841,1129528,1137990,1149429,1151186,1153423,1153869,1154738
CVE References: CVE-2019-11757,CVE-2019-11758,CVE-2019-11759,CVE-2019-11760,CVE-2019-11761,CVE-2019-11762,CVE-2019-11763,CVE-2019-11764,CVE-2019-15903
Sources used:
openSUSE Leap 15.0 (src):    MozillaFirefox-68.2.0-lp150.3.71.1, MozillaFirefox-branding-openSUSE-68-lp150.3.3.1, firefox-esr-branding-openSUSE-68-lp150.3.3.1
Comment 21 Swamp Workflow Management 2019-11-09 17:19:27 UTC
openSUSE-SU-2019:2452-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 1149126,1149429,1151186,1152778,1153879,1154738
CVE References: CVE-2019-11757,CVE-2019-11758,CVE-2019-11759,CVE-2019-11760,CVE-2019-11761,CVE-2019-11762,CVE-2019-11763,CVE-2019-11764,CVE-2019-15903
Sources used:
openSUSE Leap 15.1 (src):    MozillaThunderbird-68.2.1-lp151.2.16.1
Comment 22 Swamp Workflow Management 2019-11-09 17:20:35 UTC
openSUSE-SU-2019:2464-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 1149126,1149429,1151186,1152778,1153879,1154738
CVE References: CVE-2019-11757,CVE-2019-11758,CVE-2019-11759,CVE-2019-11760,CVE-2019-11761,CVE-2019-11762,CVE-2019-11763,CVE-2019-11764,CVE-2019-15903
Sources used:
openSUSE Leap 15.0 (src):    MozillaThunderbird-68.2.1-lp150.3.54.1
Comment 23 Swamp Workflow Management 2020-02-03 17:13:49 UTC
SUSE-SU-2020:0302-1: An update that solves 10 vulnerabilities and has 11 fixes is now available.

Category: security (important)
Bug References: 1027282,1029377,1081750,1083507,1086001,1088009,1094814,1109663,1137942,1138459,1141853,1149121,1149429,1149792,1149955,1151490,1159035,1159622,709442,951166,983582
CVE References: CVE-2017-18207,CVE-2018-1000802,CVE-2018-1060,CVE-2018-20852,CVE-2019-10160,CVE-2019-15903,CVE-2019-16056,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    python36-3.6.10-4.3.5, python36-base-3.6.10-4.3.5

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 24 Alexandros Toptsoglou 2020-04-29 12:51:01 UTC
Done