Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 585510 (CVE-2016-4472) - <dev-libs/expat-2.2.0-r1: Undefined behavior and pointer overflows (CVE-2016-4472)
Summary: <dev-libs/expat-2.2.0-r1: Undefined behavior and pointer overflows (CVE-2016-...
Status: RESOLVED FIXED
Alias: CVE-2016-4472
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-06-10 09:04 UTC by Agostino Sarubbo
Modified: 2017-01-11 12:18 UTC (History)
1 user (show)

See Also:
Package list:
=dev-libs/expat-2.2.0-r1
Runtime testing required: ---
kensington: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-06-10 09:04:41 UTC
From ${URL} :

It was found that original patch for issues CVE-2015-1283 and CVE-2015-2716 used overflow checks 
that could be optimized out by some compilers applying certain optimization settings, which can 
cause the vulnerability to remain even after applying the patch.

One pattern in the fix for CVE-2015-1283/CVE-2015-2716 is:

/* bufferSize is positive here */
do {
bufferSize *= 2;
} while (bufferSize < neededSize && bufferSize > 0);
if (bufferSize <= 0) {
errorCode = XML_ERROR_NO_MEMORY;
return NULL;

Any of the modern optimizing compiler, IF able to infer that bufferSize is initially positive 
(which is true but not obvious to see through local reasoning), will eliminate bufferSize > 0 as 
always true when the execution is defined, and bufferSize <= 0 as always false when the execution 
is defined.


Without knowing that bufferSize starts positive, an optimizing compiler could also move the test 
bufferSize > 0 out of the loop, that is, compile the code as if it had been written:

if (bufferSize <= 0)
errorCode = XML_ERROR_NO_MEMORY;
return NULL;
else {
do {
bufferSize *= 2;
} while (bufferSize < neededSize);
}

Both cases leads to not eliminating the vulnerability.

Upstream patch:

https://sourceforge.net/p/expat/code_git/ci/f0bec73b018caa07d3e75ec8dd967f3785d71bde/tree/expat/lib/xmlparse.c?diff=a238d7ea7a715ef3850c4cbdd86aeda7077b6bbc


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2016-07-01 05:14:48 UTC
CVE-2016-4472 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4472):
  The overflow protection in Expat is removed by compilers with certain
  optimization settings, which allows remote attackers to cause a denial of
  service (crash) or possibly execute arbitrary code via crafted XML data. 
  NOTE: this vulnerability exists because of an incomplete fix for
  CVE-2015-1283 and CVE-2015-2716.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-19 02:23:31 UTC
From https://sourceforge.net/p/expat/code_git/ci/master/tree/expat/Changes:

> Release 2.2.0 Tue June 21 2016
>         Security fixes:
>             #537  CVE-2016-0718 -- Fix crash on malformed input
>                   CVE-2016-4472 -- Improve insufficient fix to CVE-2015-1283 /
>                                    CVE-2015-2716 introduced with Expat 2.1.1
>             #499  CVE-2016-5300 -- Use more entropy for hash initialization
>                                    than the original fix to CVE-2012-0876
>             #519  CVE-2012-6702 -- Resolve troublesome internal call to srand
>                                    that was introduced with Expat 2.1.0
>                                    when addressing CVE-2012-0876 (issue #496)

v2.2.0 is in Gentoo repository available since https://gitweb.gentoo.org/repo/gentoo.git/commit/dev-libs/expat?id=d32fd3265a5a1e4297d542c55c9417f98beff4b8



@ Arches,

please test and mark stable: =dev-libs/expat-2.2.0-r1

Stable target(s): alpha amd64 arm arm64 hppa ia64 m68k ppc ppc64 s390 sh sparc x86
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-11-19 04:33:30 UTC
Removing unstable arches.
Comment 4 Agostino Sarubbo gentoo-dev 2016-11-19 13:54:06 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2016-11-19 13:56:26 UTC
x86 stable
Comment 6 Tobias Klausmann (RETIRED) gentoo-dev 2016-11-23 09:21:14 UTC
Stable on alpha.
Comment 7 Markus Meier gentoo-dev 2016-11-29 17:37:24 UTC
arm stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-12-19 14:36:14 UTC
sparc stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-12-19 15:13:14 UTC
ia64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-12-20 09:45:29 UTC
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2016-12-22 09:35:35 UTC
ppc64 stable
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2017-01-01 09:04:18 UTC
ping for final arch
Comment 13 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-10 07:12:57 UTC
Stable for HPPA.
Comment 14 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-10 14:48:12 UTC
Added to existing GLSA request.

@ Maintainer(s): Please cleanup and drop <dev-libs/expat-2.2.0-r1!
Comment 15 Pacho Ramos gentoo-dev 2017-01-10 20:15:42 UTC
cleaned
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2017-01-11 12:18:25 UTC
This issue was resolved and addressed in
 GLSA 201701-21 at https://security.gentoo.org/glsa/201701-21
by GLSA coordinator Aaron Bauman (b-man).