[
https://issues.apache.org/jira/browse/XERCESC-2188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17055399#comment-17055399
]
Sylvain Beucler commented on XERCESC-2188:
------------------------------------------
Hi,
I'm no expert either and I'm merely forwarding the discussion myself.
>From a distro point-of-view, I'm interested in patching xerces-c as-is
>(versions 3.1.1, 3.1.4 and 3.2.2), hopefully while preserving ABI
>compatibility (otherwise we'd have to recompile all packages that depend on
>libxerces-c).
AFAIU Hugo's patch suggestion implies modifying internal/ReaderMsg.
First adding a default parameter to function ReaderMgr::pushReader, which could
be done ABI-compatibly with a new function pushReaderAdopt instead.
Then add a new private class member fAdoptedStack, which only stays
ABI-compatible if no dependent program directly allocates an internal/ReaderMsg
instance. From your comment, that does not seem guaranteed, though that could
be a reasonable expectation.
Again, I'm no expert.
(Incidentally, do you have access to a reproducer? The report mentions a
"simple PoC through samples/StdInParse" but my own test on a basic XML+DTD does
not trigger any ASAN warning.)
> Use-after-free on external DTD scan
> -----------------------------------
>
> Key: XERCESC-2188
> URL: https://issues.apache.org/jira/browse/XERCESC-2188
> Project: Xerces-C++
> Issue Type: Bug
> Components: Validating Parser (DTD)
> Affects Versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.1.3,
> 3.1.4, 3.2.1, 3.2.2
> Reporter: Scott Cantor
> Priority: Major
> Attachments: Apache-496067-disclosure-report.pdf
>
>
> This is a record of an unfixed bug reported in 2018 in the DTD scanner, per
> the attached PDF, corresponding to CVE-2018-1311.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
