Bug 920810 (CVE-2015-0252) - VUL-0: CVE-2015-0252: Xerces-c: Vulnerability in Apache Xerces-C XML parser
Summary: VUL-0: CVE-2015-0252: Xerces-c: Vulnerability in Apache Xerces-C XML parser
Status: RESOLVED FIXED
Alias: CVE-2015-0252
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: CVSSv2:RedHat:CVE-2015-0252:5.0:(AV:N...
Keywords:
Depends on:
Blocks:
 
Reported: 2015-03-05 09:43 UTC by Marcus Meissner
Modified: 2018-03-15 23:48 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
patch (2.17 KB, patch)
2015-03-05 09:44 UTC, Marcus Meissner 		Details | Diff
CVE-2015-0252.xml (5 bytes, text/xml)
2016-08-27 12:40 UTC, Marcus Meissner 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2015-03-05 09:43:33 UTC 
via distros, embargoed

CRD: 2015-03-13   probably

A denial of service vulnerability was reported in January to the Apache
Xerces-C PMC. The CVE is CVE-2015-0252 and the draft advisory for it is
below.

The supported version of this library is currently V3.1.1 and I have
been accepted as a committer to push out a V3.1.2 patch release that
includes this bug fix. The current patch being tested is at the end
of this email.

Note that some older but still "active" Linux distributions include
versions of the parser as old as 2.8.0, which has been unsupported
for many, many years. I don't know if this patch applies to that release.

A beta release of V3.1.2 is available now [1] and will be formally announced
this afternoon. A vote to release it is planned for next week, so
the release and a public dislosure would be expected around March 13th.

Scott Cantor
Shibboleth Consortium
Apache PMC, Santuario and Committer, Xerces-C

[1] http://people.apache.org/~scantor/

- ---

CVE-2015-0252: Apache Xerces-C XML Parser Crashes on Malformed Input

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: Apache Xerces-C XML Parser library versions
prior to V3.1.2

Description: The Xerces-C XML parser mishandles certain kinds of
malformed input documents, resulting in a segmentation fault during
a parse operation. The bug does not appear to allow for remote code
execution, but is a denial of service attack that in many applications
may allow for an unauthenticated attacker to supply malformed input
and cause a crash.

Mitigation: Applications that are using library versions older than
V3.1.2 should upgrade as soon as possible. Distributors of older versions
should apply the patches from this subversion revision:

http://svn.apache.org/viewvc?view=revision&revision=TBD
Credit: This issue was reported independently by Anton Rager and Jonathan
Brossard from the Salesforce.com Product Security Team and by Ben Laurie
of Google.

References:
http://xerces.apache.org/xerces-c/
http://TBD/CVE-2015-0252.txt

- ----

Planned patch for vulnerability:
Comment 1 Marcus Meissner 2015-03-05 09:44:34 UTC 
Created attachment 625499 [details]
patch

attached patch
Comment 2 Swamp Workflow Management 2015-03-05 23:00:15 UTC 
bugbot adjusting priority
Comment 4 Johannes Segitz 2015-03-16 15:12:48 UTC 
CRD was shifted, not fixed, please check before opening this bug.
CRD: 2015-03-19
Comment 5 Marcus Meissner 2015-03-20 06:47:52 UTC 
public via oss-sec

CVE-2015-0252: Apache Xerces-C XML Parser Crashes on Malformed Input

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: Apache Xerces-C XML Parser library versions
prior to V3.1.2

Description: The Xerces-C XML parser mishandles certain kinds of
malformed input documents, resulting in a segmentation fault during
a parse operation. The bug does not appear to allow for remote code
execution, but is a denial of service attack that in many applications
may allow for an unauthenticated attacker to supply malformed input
and cause a crash.

Mitigation: Applications that are using library versions older than
V3.1.2 should upgrade as soon as possible. Distributors of older versions
should apply the patches from this subversion revision:

http://svn.apache.org/viewvc?view=revision&revision=1667870

Credit: This issue was reported independently by Anton Rager and Jonathan
Brossard from the Salesforce.com Product Security Team and by Ben Laurie
of Google.

References:
http://xerces.apache.org/xerces-c/secadv/CVE-2015-0252.txt
Comment 6 Swamp Workflow Management 2015-03-25 11:05:18 UTC 
SUSE-SU-2015:0597-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 920810
CVE References: CVE-2015-0252
Sources used:
SUSE Linux Enterprise Workstation Extension 12 (src):    xerces-c-3.1.1-4.1
SUSE Linux Enterprise Desktop 12 (src):    xerces-c-3.1.1-4.1
Comment 8 Marcus Meissner 2016-03-23 08:28:03 UTC 
done
Comment 9 Bernhard Wiedemann 2016-03-29 15:00:11 UTC 
This is an autogenerated message for OBS integration:
This bug (920810) was mentioned in
https://build.opensuse.org/request/show/381243 13.2 / xerces-c
Comment 10 Bernhard Wiedemann 2016-03-30 10:00:29 UTC 
This is an autogenerated message for OBS integration:
This bug (920810) was mentioned in
https://build.opensuse.org/request/show/381546 13.2 / xerces-c
Comment 11 Swamp Workflow Management 2016-04-07 11:07:48 UTC 
openSUSE-SU-2016:0966-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 920810,966822
CVE References: CVE-2015-0252,CVE-2016-0729
Sources used:
openSUSE 13.2 (src):    xerces-c-3.1.1-13.3.1
Comment 12 Marcus Meissner 2016-08-27 12:40:06 UTC 
Created attachment 689774 [details]
CVE-2015-0252.xml

QA Reproducer:

SAXCount CVE-2015-0252.xml