[ https://issues.apache.org/jira/browse/XERCESC-2188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17055399#comment-17055399 ]
Sylvain Beucler commented on XERCESC-2188: ------------------------------------------ Hi, I'm no expert either and I'm merely forwarding the discussion myself. >From a distro point-of-view, I'm interested in patching xerces-c as-is >(versions 3.1.1, 3.1.4 and 3.2.2), hopefully while preserving ABI >compatibility (otherwise we'd have to recompile all packages that depend on >libxerces-c). AFAIU Hugo's patch suggestion implies modifying internal/ReaderMsg. First adding a default parameter to function ReaderMgr::pushReader, which could be done ABI-compatibly with a new function pushReaderAdopt instead. Then add a new private class member fAdoptedStack, which only stays ABI-compatible if no dependent program directly allocates an internal/ReaderMsg instance. From your comment, that does not seem guaranteed, though that could be a reasonable expectation. Again, I'm no expert. (Incidentally, do you have access to a reproducer? The report mentions a "simple PoC through samples/StdInParse" but my own test on a basic XML+DTD does not trigger any ASAN warning.) > Use-after-free on external DTD scan > ----------------------------------- > > Key: XERCESC-2188 > URL: https://issues.apache.org/jira/browse/XERCESC-2188 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (DTD) > Affects Versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.1.3, > 3.1.4, 3.2.1, 3.2.2 > Reporter: Scott Cantor > Priority: Major > Attachments: Apache-496067-disclosure-report.pdf > > > This is a record of an unfixed bug reported in 2018 in the DTD scanner, per > the attached PDF, corresponding to CVE-2018-1311. -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org