[jira] [Comment Edited] (XERCESC-2188) Use-after-free on external DTD scan

Wed, 26 Apr 2023 13:34:08 -0700 


    [ 
https://issues.apache.org/jira/browse/XERCESC-2188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17716851#comment-17716851
 ] 

Ilguiz Latypov edited comment on XERCESC-2188 at 4/26/23 8:33 PM:
------------------------------------------------------------------

Since year 2019, the NIST record of this bug included the upper boundary for 
the Xerces C version, 3.2.2 (probably because it was the last known version of 
the product).  It was updated to include 3.2.3 in years 2020 (in the 
human-readable description) and 2022 (in the machine-readable one).

https://nvd.nist.gov/vuln/detail/CVE-2018-1311#VulnChangeHistorySection

Now that 3.2.4 is released, it shows as clean from the CVE despite still being 
vulnerable.  This makes the component scan users miss the danger.

Is there a way to remove the upper boundary from the CVE?  I can see the change 
history at NIST extends to this year.

Hopefully a breaking change (4.0?) can be free from the vulnerability, at which 
point the CVE record could add the proper upper boundary.



was (Author: ilatypov):
Since year 2019, the NIST record of this bug included the upper boundary for 
the Xerces C version, 3.2.3 (probably because it was the last known version of 
the product).

https://nvd.nist.gov/vuln/detail/CVE-2018-1311#VulnChangeHistorySection

Now that 3.2.4 is released, it shows as clean from the CVE despite still being 
vulnerable.  This makes the component scan users miss the danger.

Is there a way to remove the upper boundary from the CVE?  I can see the change 
history at NIST extends to this year.

Hopefully a breaking change (4.0?) can be free from the vulnerability, at which 
point the CVE record could add the proper upper boundary.


> Use-after-free on external DTD scan
> -----------------------------------
>
>                 Key: XERCESC-2188
>                 URL: https://issues.apache.org/jira/browse/XERCESC-2188
>             Project: Xerces-C++
>          Issue Type: Bug
>          Components: Validating Parser (DTD)
>    Affects Versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.1.3, 
> 3.1.4, 3.2.1, 3.2.2
>            Reporter: Scott Cantor
>            Priority: Major
>         Attachments: Apache-496067-disclosure-report.pdf
>
>
> This is a record of an unfixed bug reported in 2018 in the DTD scanner, per 
> the attached PDF, corresponding to CVE-2018-1311.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org
For additional commands, e-mail: c-dev-h...@xerces.apache.org

Reply via email to