Bugzilla – Bug 1191856
VUL-0: CVE-2019-20005,CVE-2019-20006,CVE-2019-20007,CVE-2019-20198,CVE-2019-20199: netcdf: multiple vulnerabilities in ezXML
Last modified: 2022-05-04 12:17:29 UTC
Multiple security issues were found in ezXML which is bundled in netcdf. CVE-2019-20005: https://sourceforge.net/p/ezxml/bugs/14/ CVE-2019-20006: https://sourceforge.net/p/ezxml/bugs/15/ CVE-2019-20007: https://sourceforge.net/p/ezxml/bugs/13/ CVE-2019-20198: https://sourceforge.net/p/ezxml/bugs/20/ CVE-2019-20199: https://sourceforge.net/p/ezxml/bugs/18/ CVE-2019-20200: https://sourceforge.net/p/ezxml/bugs/19/ CVE-2019-20201: https://sourceforge.net/p/ezxml/bugs/16/ CVE-2019-20202: https://sourceforge.net/p/ezxml/bugs/17/ CVE-2021-26220: https://sourceforge.net/p/ezxml/bugs/23/ CVE-2021-26221: https://sourceforge.net/p/ezxml/bugs/21/ CVE-2021-26222: https://sourceforge.net/p/ezxml/bugs/22/ CVE-2021-30485: https://sourceforge.net/p/ezxml/bugs/25/ CVE-2021-31229: https://sourceforge.net/p/ezxml/bugs/26/ CVE-2021-31348 / CVE-2021-31347: https://sourceforge.net/p/ezxml/bugs/27/ CVE-2021-31598: https://sourceforge.net/p/ezxml/bugs/28/ References: https://bugzilla.redhat.com/show_bug.cgi?id=2001671 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20200 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20201 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20007 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-26221 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20202 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31598 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-26220 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31347 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20198 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20005 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31229 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-30485 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20199 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31348 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-26222 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20006 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31348 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20005 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20006 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20007 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20198 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20199 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20200 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20201 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20202 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26220 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31598 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26221 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26222 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30485 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31229 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31347 https://sourceforge.net/p/ezxml/bugs/21/ https://sourceforge.net/p/ezxml/bugs/19/ https://sourceforge.net/p/ezxml/bugs/22/ https://sourceforge.net/p/ezxml/bugs/14/ https://sourceforge.net/p/ezxml/bugs/18/ https://sourceforge.net/p/ezxml/bugs/27/ https://sourceforge.net/p/ezxml/bugs/25/ https://sourceforge.net/p/ezxml/bugs/20/ https://sourceforge.net/p/ezxml/bugs/15/ https://sourceforge.net/p/ezxml/bugs/23/ https://sourceforge.net/p/ezxml/bugs/17/ https://sourceforge.net/p/ezxml/bugs/26/ https://sourceforge.net/p/ezxml/bugs/28/ https://sourceforge.net/p/ezxml/bugs/16/ https://sourceforge.net/p/ezxml/bugs/13/
Affected packages: - SUSE:SLE-15-SP1:Update/netcdf 4.6.1 - SUSE:SLE-15-SP2:Update/netcdf 4.7.3 - SUSE:SLE-15-SP3:Update/netcdf 4.7.4 - SUSE:SLE-15:Update/netcdf 4.6.1 - openSUSE:Backports:SLE-15-SP2/netcdf 4.7.3 - openSUSE:Backports:SLE-15-SP3/netcdf 4.7.4 - openSUSE:Backports:SLE-15-SP4/netcdf 4.7.4 - openSUSE:Factory/netcdf 4.8.0 Upstream patch: https://github.com/Unidata/netcdf-c/pull/2125
Of the 15 reported issues only 4 are fixed. One of the 4 patches is bogus. The 'upstream patch' is a conglomerate of these 4 patches (including the bogus one!) and a 'big restructuring'. The upstream patch calls exit(-1) when it encounters an error - instead reporting an error to the caller as the ezxml library used does not provide error reporting. Calling exit() when encountering an error is not much better than crashing. I do, however, consider the risk of encountering broken XML rather low. XML is used here to obtain information about the data sets from a DAP4 server. The risk of getting bogus XML data from a legitimate server is negligible. However, the connection may be unauthenticated. Also there seem to be 'public' DAP4 servers on the internet which provide climate data for instance. Connection spoofing and 'man in the middle' may be possible.
The fix in bug #26 (CVE-2021-31229) https://sourceforge.net/p/ezxml/bugs/26/ also fixes bug #16 (CVE-2019-20201) https://sourceforge.net/p/ezxml/bugs/16/ and bug #20, (CVE-2019-20198) https://sourceforge.net/p/ezxml/bugs/20/ while the fix in bug #28 (CVE-2021-31598) https://sourceforge.net/p/ezxml/bugs/28/ is bogus. The issue gets addressed by a fix for bug #15 (CVE-2019-20006), which also fixes bug #17 (CVE-2021-31598). The issues: CVE-2021-26221 / bug #21 https://sourceforge.net/p/ezxml/bugs/21/ CVE-2021-26222 / bug #22 https://sourceforge.net/p/ezxml/bugs/26/ CVE-2021-26220 / bug #23 https://sourceforge.net/p/ezxml/bugs/26/ all address out of memory conditions. The code calls malloc()/realloc() frequently however never checks if the operation succeeds. Apparently, the code has been used as a test bed for a library wrapper which injects out-of-memory conditions to check whether these are handled gracefully. The reported issues are fixable, however, fixing this problem everywhere in the code is challenging as none of the inner functions are able to report back an error condition.
This is an autogenerated message for OBS integration: This bug (1191856) was mentioned in https://build.opensuse.org/request/show/927333 Factory / netcdf
The SLE12 HPC module is not affected as the code in question wasn't present in that version of netcdf.
CVE-2019-20005 - this issue cannot be reproduced. Not fix available. CVE-2021-26220 - netcdf is not affected as affected code is used.
SUSE-SU-2021:3805-1: An update that fixes 16 vulnerabilities is now available. Category: security (important) Bug References: 1191856 CVE References: CVE-2019-20005,CVE-2019-20006,CVE-2019-20007,CVE-2019-20198,CVE-2019-20199,CVE-2019-20200,CVE-2019-20201,CVE-2019-20202,CVE-2021-26220,CVE-2021-26221,CVE-2021-26222,CVE-2021-30485,CVE-2021-31229,CVE-2021-31347,CVE-2021-31348,CVE-2021-31598 JIRA References: Sources used: SUSE Linux Enterprise Module for HPC 15-SP2 (src): netcdf_4_7_3-gnu-hpc-4.7.3-3.7.2, netcdf_4_7_3-gnu-mpich-hpc-4.7.3-3.7.2, netcdf_4_7_3-gnu-mvapich2-hpc-4.7.3-3.7.2, netcdf_4_7_3-gnu-openmpi2-hpc-4.7.3-3.7.2, netcdf_4_7_3-gnu-openmpi3-hpc-4.7.3-3.7.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:3804-1: An update that fixes 16 vulnerabilities is now available. Category: security (important) Bug References: 1191856 CVE References: CVE-2019-20005,CVE-2019-20006,CVE-2019-20007,CVE-2019-20198,CVE-2019-20199,CVE-2019-20200,CVE-2019-20201,CVE-2019-20202,CVE-2021-26220,CVE-2021-26221,CVE-2021-26222,CVE-2021-30485,CVE-2021-31229,CVE-2021-31347,CVE-2021-31348,CVE-2021-31598 JIRA References: Sources used: SUSE Linux Enterprise High Performance Computing 15-LTSS (src): netcdf_4_6_1-gnu-hpc-4.6.1-5.7.1, netcdf_4_6_1-gnu-mpich-hpc-4.6.1-5.7.1, netcdf_4_6_1-gnu-mvapich2-hpc-4.6.1-5.7.1, netcdf_4_6_1-gnu-openmpi2-hpc-4.6.1-5.7.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): netcdf_4_6_1-gnu-hpc-4.6.1-5.7.1, netcdf_4_6_1-gnu-mpich-hpc-4.6.1-5.7.1, netcdf_4_6_1-gnu-mvapich2-hpc-4.6.1-5.7.1, netcdf_4_6_1-gnu-openmpi2-hpc-4.6.1-5.7.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:3804-1: An update that fixes 16 vulnerabilities is now available. Category: security (important) Bug References: 1191856 CVE References: CVE-2019-20005,CVE-2019-20006,CVE-2019-20007,CVE-2019-20198,CVE-2019-20199,CVE-2019-20200,CVE-2019-20201,CVE-2019-20202,CVE-2021-26220,CVE-2021-26221,CVE-2021-26222,CVE-2021-30485,CVE-2021-31229,CVE-2021-31347,CVE-2021-31348,CVE-2021-31598 JIRA References: Sources used: openSUSE Leap 15.3 (src): netcdf-4.6.1-5.7.1, netcdf-openmpi-4.6.1-5.7.1
openSUSE-SU-2021:3805-1: An update that fixes 16 vulnerabilities is now available. Category: security (important) Bug References: 1191856 CVE References: CVE-2019-20005,CVE-2019-20006,CVE-2019-20007,CVE-2019-20198,CVE-2019-20199,CVE-2019-20200,CVE-2019-20201,CVE-2019-20202,CVE-2021-26220,CVE-2021-26221,CVE-2021-26222,CVE-2021-30485,CVE-2021-31229,CVE-2021-31347,CVE-2021-31348,CVE-2021-31598 JIRA References: Sources used: openSUSE Leap 15.3 (src): netcdf_4_7_3-gnu-hpc-4.7.3-3.7.2, netcdf_4_7_3-gnu-mpich-hpc-4.7.3-3.7.2, netcdf_4_7_3-gnu-mvapich2-hpc-4.7.3-3.7.2, netcdf_4_7_3-gnu-openmpi2-hpc-4.7.3-3.7.2, netcdf_4_7_3-gnu-openmpi3-hpc-4.7.3-3.7.2
openSUSE-SU-2021:1505-1: An update that fixes 16 vulnerabilities is now available. Category: security (important) Bug References: 1191856 CVE References: CVE-2019-20005,CVE-2019-20006,CVE-2019-20007,CVE-2019-20198,CVE-2019-20199,CVE-2019-20200,CVE-2019-20201,CVE-2019-20202,CVE-2021-26220,CVE-2021-26221,CVE-2021-26222,CVE-2021-30485,CVE-2021-31229,CVE-2021-31347,CVE-2021-31348,CVE-2021-31598 JIRA References: Sources used: openSUSE Leap 15.2 (src): netcdf_4_7_3-gnu-hpc-4.7.3-lp152.2.6.1, netcdf_4_7_3-gnu-mpich-hpc-4.7.3-lp152.2.6.1, netcdf_4_7_3-gnu-mvapich2-hpc-4.7.3-lp152.2.6.1, netcdf_4_7_3-gnu-openmpi2-hpc-4.7.3-lp152.2.6.1, netcdf_4_7_3-gnu-openmpi3-hpc-4.7.3-lp152.2.6.1
SUSE-SU-2021:3815-1: An update that fixes 16 vulnerabilities is now available. Category: security (important) Bug References: 1191856 CVE References: CVE-2019-20005,CVE-2019-20006,CVE-2019-20007,CVE-2019-20198,CVE-2019-20199,CVE-2019-20200,CVE-2019-20201,CVE-2019-20202,CVE-2021-26220,CVE-2021-26221,CVE-2021-26222,CVE-2021-30485,CVE-2021-31229,CVE-2021-31347,CVE-2021-31348,CVE-2021-31598 JIRA References: Sources used: SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): netcdf_4_6_1-gnu-hpc-4.6.1-10.7.2, netcdf_4_6_1-gnu-mpich-hpc-4.6.1-10.7.2, netcdf_4_6_1-gnu-mvapich2-hpc-4.6.1-10.7.2, netcdf_4_6_1-gnu-openmpi2-hpc-4.6.1-10.7.2 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): netcdf_4_6_1-gnu-hpc-4.6.1-10.7.2, netcdf_4_6_1-gnu-mpich-hpc-4.6.1-10.7.2, netcdf_4_6_1-gnu-mvapich2-hpc-4.6.1-10.7.2, netcdf_4_6_1-gnu-openmpi2-hpc-4.6.1-10.7.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:3815-1: An update that fixes 16 vulnerabilities is now available. Category: security (important) Bug References: 1191856 CVE References: CVE-2019-20005,CVE-2019-20006,CVE-2019-20007,CVE-2019-20198,CVE-2019-20199,CVE-2019-20200,CVE-2019-20201,CVE-2019-20202,CVE-2021-26220,CVE-2021-26221,CVE-2021-26222,CVE-2021-30485,CVE-2021-31229,CVE-2021-31347,CVE-2021-31348,CVE-2021-31598 JIRA References: Sources used: openSUSE Leap 15.3 (src): netcdf_4_6_1-gnu-hpc-4.6.1-10.7.2, netcdf_4_6_1-gnu-mpich-hpc-4.6.1-10.7.2, netcdf_4_6_1-gnu-mvapich2-hpc-4.6.1-10.7.2, netcdf_4_6_1-gnu-openmpi1-hpc-4.6.1-10.7.2, netcdf_4_6_1-gnu-openmpi2-hpc-4.6.1-10.7.2
SUSE-SU-2021:3873-1: An update that fixes 16 vulnerabilities is now available. Category: security (important) Bug References: 1191856 CVE References: CVE-2019-20005,CVE-2019-20006,CVE-2019-20007,CVE-2019-20198,CVE-2019-20199,CVE-2019-20200,CVE-2019-20201,CVE-2019-20202,CVE-2021-26220,CVE-2021-26221,CVE-2021-26222,CVE-2021-30485,CVE-2021-31229,CVE-2021-31347,CVE-2021-31348,CVE-2021-31598 JIRA References: Sources used: SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src): netcdf_4_7_4-gnu-hpc-4.7.4-4.3.2, netcdf_4_7_4-gnu-mpich-hpc-4.7.4-4.3.2, netcdf_4_7_4-gnu-mvapich2-hpc-4.7.4-4.3.2, netcdf_4_7_4-gnu-openmpi3-hpc-4.7.4-4.3.2, netcdf_4_7_4-gnu-openmpi4-hpc-4.7.4-4.3.2 SUSE Linux Enterprise Module for HPC 15-SP3 (src): netcdf_4_7_4-gnu-hpc-4.7.4-4.3.2, netcdf_4_7_4-gnu-mpich-hpc-4.7.4-4.3.2, netcdf_4_7_4-gnu-mvapich2-hpc-4.7.4-4.3.2, netcdf_4_7_4-gnu-openmpi3-hpc-4.7.4-4.3.2, netcdf_4_7_4-gnu-openmpi4-hpc-4.7.4-4.3.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:3873-1: An update that fixes 16 vulnerabilities is now available. Category: security (important) Bug References: 1191856 CVE References: CVE-2019-20005,CVE-2019-20006,CVE-2019-20007,CVE-2019-20198,CVE-2019-20199,CVE-2019-20200,CVE-2019-20201,CVE-2019-20202,CVE-2021-26220,CVE-2021-26221,CVE-2021-26222,CVE-2021-30485,CVE-2021-31229,CVE-2021-31347,CVE-2021-31348,CVE-2021-31598 JIRA References: Sources used: openSUSE Leap 15.3 (src): netcdf-4.7.4-4.3.2, netcdf-openmpi2-4.7.4-4.3.2, netcdf-openmpi3-4.7.4-4.3.2, netcdf-openmpi4-4.7.4-4.3.2, netcdf_4_7_4-gnu-hpc-4.7.4-4.3.2, netcdf_4_7_4-gnu-mpich-hpc-4.7.4-4.3.2, netcdf_4_7_4-gnu-mvapich2-hpc-4.7.4-4.3.2, netcdf_4_7_4-gnu-openmpi2-hpc-4.7.4-4.3.2, netcdf_4_7_4-gnu-openmpi3-hpc-4.7.4-4.3.2, netcdf_4_7_4-gnu-openmpi4-hpc-4.7.4-4.3.2
Released.