Control: tag -1 + patch Hi,
I had a look at these issues for Buster (LTS). Unfortunately the
upstream project appears to be inactive.
On Fri, 22 Dec 2023 at 14:50:57 +0100, Moritz Mühlenhoff wrote:
> CVE-2023-34194[0]:
> | StringEqual in TiXmlDeclaration::Parse in tinyxmlparser.cpp in
> | TinyXML through 2.6.2 has a reachable assertion (and application
> | exit) via a crafted XML document with a '\0' located after
> | whitespace.
I attach a patch for this. Felix, I can upload an NMU for sid if you'd
like.
> CVE-2023-40462[1]:
> | The ACEManager component of ALEOS 4.16 and earlier does not
> | perform input sanitization during authentication, which could
> | potentially result in a Denial of Service (DoS) condition for
> | ACEManager without impairing other router functions. ACEManager
> | recovers from the DoS condition by restarting within ten seconds of
> | becoming unavailable.
AFAICT this is identical to CVE-2023-34194, but for ALEOS' ACEManager:
“TinyXML has not been supported for some years, but ALEOS still embeds its
source code directly into one of its libraries (libSWIALEOS.so).
[…]
For ACEmanager, the bug can be triggered similarly to CVE-2023-40458, as
shown below in Figure 20. Unlike CVE-2023-40458, though, it crashes the
application, and since ACEmanager runs as a service, it will be
automatically restarted in a few seconds. However, attackers can keep
sending malformed XML documents, prolonging the DoS indefinitely. All
currently logged-in users are also immediately logged out. Attackers do
not need to be authenticated to exploit the issue.” [0]
> CVE-2023-40458[2]:
> | Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability
> | in Sierra Wireless, Inc ALEOS could potentially allow a remote
> | attacker to trigger a Denial of Service (DoS) condition for
> | ACEManager without impairing other router functions. This condition
> | is cleared by restarting the device.
AFAICT this issue is a duplicate of CVE-2021-42260. §9.4 of the
report[0] reads that CVE-2023-40458 is triggered by a malformed XML
document containing 0xef (TIXML_UTF_LEAD_0) followed (p+1 or p+2) by
0x00, which is exactly what CVE-2021-42260 is about.
https://sourceforge.net/p/tinyxml/git/merge-requests/1/ , which is
included in buster-security, bullseye, bookworm and sid, evade the
infinite loop by blindly advancing the pointer.
Cheers,
--
Guilhem.
[0] https://www.forescout.com/resources/sierra21-vulnerabilities
From: Guilhem Moulin <guil...@debian.org> Date: Sat, 30 Dec 2023 14:15:54 +0100 Subject: Avoid reachable assertion via crafted XML document with a '\0' located after whitespace Bug: https://www.forescout.com/resources/sierra21-vulnerabilities Bug-Debian: https://bugs.debian.org/1059315 Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-34194 Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-40462 --- tinyxmlparser.cpp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tinyxmlparser.cpp b/tinyxmlparser.cpp index 8aa0dfa..1601962 100644 --- a/tinyxmlparser.cpp +++ b/tinyxmlparser.cpp @@ -1606,6 +1606,10 @@ const char* TiXmlDeclaration::Parse( const char* p, TiXmlParsingData* data, TiXm } p = SkipWhiteSpace( p, _encoding ); + if ( !p || !*p ) + { + break; + } if ( StringEqual( p, "version", true, _encoding ) ) { TiXmlAttribute attrib;
signature.asc
Description: PGP signature
