Bug#1059315: tinyxml: CVE-2023-34194 CVE-2023-40462 CVE-2023-40458
Hi, On Sun, Jan 14, 2024 at 05:48:54PM +0100, Salvatore Bonaccorso wrote: > Hi, > > On Sun, Jan 14, 2024 at 04:41:00PM +, Bastien Roucari?s wrote: > > On Sun, 31 Dec 2023 07:14:26 +0100 Salvatore Bonaccorso > > wrote: > > Hi Guilhem, hi Moritz, > > > Hi Guilhem, hi Moritz, > > > > > > On Sat, Dec 30, 2023 at 11:26:02PM +0100, Guilhem Moulin wrote: > > > > On Sat, 30 Dec 2023 at 21:02:16 +0100, Felix Geyer wrote: > > > > > There are some minor changes staged in the salsa git repo. It would > > > > > be good > > > > > to include them as well. Feel free to push the patch to git and > > > > > upload. > > > > > Alternatively a merge request works as well of course. > > > > > > > > Thanks for the fast response! Tagged and uploaded. > > > > > > > > Security team, if you agree with my assessment that CVE-2023-40462 is a > > > > duplicate of CVE-2023-34194 (but for a separate project that embeds > > > > libxml) and that CVE-2023-40458 is a duplicate of CVE-2021-42260 (but > > > > for a separate project that embeds libxml), I can propose debdiffs for > > > > bullseye and bookworm. > > > > > > I think the former is correct but still bit biased. We initially had > > > exactly CVE-2023-40462 as NFU and CVE-2023-34194 for tinyxml. I have > > > now commmited > > > https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e507c932b999df48f808969c00f07a638e3357b > > > hich does match my understanding for this doubled CVE assignment. The > > > document is actually not very very clear. It still metnions > > > CVE-2023-40462 but does not consistently say "TinyXML as used in". > > > Still hope we can agree the above matches our all udnerstanding. > > > Moritz given you updated back then the entry from NFU and tinyxml, if > > > you still strongly disagree I will revert the above, but I tried to > > > explain my reasoning in the commit message. > > > > > > Now for CVE-2023-40458 I'm not sure. Looking back at the references > > > for CVE-2021-42260 and the issue report at > > > https://sourceforge.net/p/tinyxml/bugs/141/ this sensibly match the > > > description for CVE-2023-40458, but will want to see if Moritz has an > > > additional input here. > > > > > > If this is the case we either have the otpion to mark it really as > > > duplicate (and request a reject from MITRE) or it is again just a > > > ALEOS issue "... tinyxml as used in". Again the table here is not very > > > clear in the report, for the CVE-2023-34194 and CVE-2023-40462 there > > > were explicitly listed the two CVEs with brackeds including the > > > product in the the table, but this is not the case for CVE-2023-40458. > > > > > > Moritz? > > > > Any news of this triagging ? > > I contacted the involved CNA and they are investigting if that needs > to be considered a dupliate (for CVE-2023-40458 and CVE-2021-42260). > > CVE-2023-40462 was already updated. So CVE-2023-40458 is to be consideres specific to ALEOS. The reason is, while the underlying vulnerability is the same as CVE-2021-42260 Sierra Wireless CNA choosed to register a unique CVE as the ALEOS source code contained code taken from TinyXML but did not contain the complete TinyXML source. The fixing of the vulnerability reflects the fix in TinyXML (as per its CVE), but it was not possible in the Sirerra Wireless product to address the vulnerability by directly taking the TinyXML code. Regards, Salvatore
Bug#1059315: tinyxml: CVE-2023-34194 CVE-2023-40462 CVE-2023-40458
Hi, On Sun, Jan 14, 2024 at 04:41:00PM +, Bastien Roucariès wrote: > On Sun, 31 Dec 2023 07:14:26 +0100 Salvatore Bonaccorso > wrote: > Hi Guilhem, hi Moritz, > > Hi Guilhem, hi Moritz, > > > > On Sat, Dec 30, 2023 at 11:26:02PM +0100, Guilhem Moulin wrote: > > > On Sat, 30 Dec 2023 at 21:02:16 +0100, Felix Geyer wrote: > > > > There are some minor changes staged in the salsa git repo. It would be > > > > good > > > > to include them as well. Feel free to push the patch to git and upload. > > > > Alternatively a merge request works as well of course. > > > > > > Thanks for the fast response! Tagged and uploaded. > > > > > > Security team, if you agree with my assessment that CVE-2023-40462 is a > > > duplicate of CVE-2023-34194 (but for a separate project that embeds > > > libxml) and that CVE-2023-40458 is a duplicate of CVE-2021-42260 (but > > > for a separate project that embeds libxml), I can propose debdiffs for > > > bullseye and bookworm. > > > > I think the former is correct but still bit biased. We initially had > > exactly CVE-2023-40462 as NFU and CVE-2023-34194 for tinyxml. I have > > now commmited > > https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e507c932b999df48f808969c00f07a638e3357b > > hich does match my understanding for this doubled CVE assignment. The > > document is actually not very very clear. It still metnions > > CVE-2023-40462 but does not consistently say "TinyXML as used in". > > Still hope we can agree the above matches our all udnerstanding. > > Moritz given you updated back then the entry from NFU and tinyxml, if > > you still strongly disagree I will revert the above, but I tried to > > explain my reasoning in the commit message. > > > > Now for CVE-2023-40458 I'm not sure. Looking back at the references > > for CVE-2021-42260 and the issue report at > > https://sourceforge.net/p/tinyxml/bugs/141/ this sensibly match the > > description for CVE-2023-40458, but will want to see if Moritz has an > > additional input here. > > > > If this is the case we either have the otpion to mark it really as > > duplicate (and request a reject from MITRE) or it is again just a > > ALEOS issue "... tinyxml as used in". Again the table here is not very > > clear in the report, for the CVE-2023-34194 and CVE-2023-40462 there > > were explicitly listed the two CVEs with brackeds including the > > product in the the table, but this is not the case for CVE-2023-40458. > > > > Moritz? > > Any news of this triagging ? I contacted the involved CNA and they are investigting if that needs to be considered a dupliate (for CVE-2023-40458 and CVE-2021-42260). CVE-2023-40462 was already updated. Regards, Salvatore
Bug#1059315: tinyxml: CVE-2023-34194 CVE-2023-40462 CVE-2023-40458
On Sun, 31 Dec 2023 07:14:26 +0100 Salvatore Bonaccorso wrote: Hi Guilhem, hi Moritz, > Hi Guilhem, hi Moritz, > > On Sat, Dec 30, 2023 at 11:26:02PM +0100, Guilhem Moulin wrote: > > On Sat, 30 Dec 2023 at 21:02:16 +0100, Felix Geyer wrote: > > > There are some minor changes staged in the salsa git repo. It would be > > > good > > > to include them as well. Feel free to push the patch to git and upload. > > > Alternatively a merge request works as well of course. > > > > Thanks for the fast response! Tagged and uploaded. > > > > Security team, if you agree with my assessment that CVE-2023-40462 is a > > duplicate of CVE-2023-34194 (but for a separate project that embeds > > libxml) and that CVE-2023-40458 is a duplicate of CVE-2021-42260 (but > > for a separate project that embeds libxml), I can propose debdiffs for > > bullseye and bookworm. > > I think the former is correct but still bit biased. We initially had > exactly CVE-2023-40462 as NFU and CVE-2023-34194 for tinyxml. I have > now commmited > https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e507c932b999df48f808969c00f07a638e3357b > hich does match my understanding for this doubled CVE assignment. The > document is actually not very very clear. It still metnions > CVE-2023-40462 but does not consistently say "TinyXML as used in". > Still hope we can agree the above matches our all udnerstanding. > Moritz given you updated back then the entry from NFU and tinyxml, if > you still strongly disagree I will revert the above, but I tried to > explain my reasoning in the commit message. > > Now for CVE-2023-40458 I'm not sure. Looking back at the references > for CVE-2021-42260 and the issue report at > https://sourceforge.net/p/tinyxml/bugs/141/ this sensibly match the > description for CVE-2023-40458, but will want to see if Moritz has an > additional input here. > > If this is the case we either have the otpion to mark it really as > duplicate (and request a reject from MITRE) or it is again just a > ALEOS issue "... tinyxml as used in". Again the table here is not very > clear in the report, for the CVE-2023-34194 and CVE-2023-40462 there > were explicitly listed the two CVEs with brackeds including the > product in the the table, but this is not the case for CVE-2023-40458. > > Moritz? Any news of this triagging ? Bastien > > Regards, > Salvatore > > signature.asc Description: This is a digitally signed message part.
Bug#1059315: tinyxml: CVE-2023-34194 CVE-2023-40462 CVE-2023-40458
Hi Guilhem, hi Moritz, On Sat, Dec 30, 2023 at 11:26:02PM +0100, Guilhem Moulin wrote: > On Sat, 30 Dec 2023 at 21:02:16 +0100, Felix Geyer wrote: > > There are some minor changes staged in the salsa git repo. It would be good > > to include them as well. Feel free to push the patch to git and upload. > > Alternatively a merge request works as well of course. > > Thanks for the fast response! Tagged and uploaded. > > Security team, if you agree with my assessment that CVE-2023-40462 is a > duplicate of CVE-2023-34194 (but for a separate project that embeds > libxml) and that CVE-2023-40458 is a duplicate of CVE-2021-42260 (but > for a separate project that embeds libxml), I can propose debdiffs for > bullseye and bookworm. I think the former is correct but still bit biased. We initially had exactly CVE-2023-40462 as NFU and CVE-2023-34194 for tinyxml. I have now commmited https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e507c932b999df48f808969c00f07a638e3357b hich does match my understanding for this doubled CVE assignment. The document is actually not very very clear. It still metnions CVE-2023-40462 but does not consistently say "TinyXML as used in". Still hope we can agree the above matches our all udnerstanding. Moritz given you updated back then the entry from NFU and tinyxml, if you still strongly disagree I will revert the above, but I tried to explain my reasoning in the commit message. Now for CVE-2023-40458 I'm not sure. Looking back at the references for CVE-2021-42260 and the issue report at https://sourceforge.net/p/tinyxml/bugs/141/ this sensibly match the description for CVE-2023-40458, but will want to see if Moritz has an additional input here. If this is the case we either have the otpion to mark it really as duplicate (and request a reject from MITRE) or it is again just a ALEOS issue "... tinyxml as used in". Again the table here is not very clear in the report, for the CVE-2023-34194 and CVE-2023-40462 there were explicitly listed the two CVEs with brackeds including the product in the the table, but this is not the case for CVE-2023-40458. Moritz? Regards, Salvatore
Bug#1059315: tinyxml: CVE-2023-34194 CVE-2023-40462 CVE-2023-40458
On Sat, 30 Dec 2023 at 21:02:16 +0100, Felix Geyer wrote: > There are some minor changes staged in the salsa git repo. It would be good > to include them as well. Feel free to push the patch to git and upload. > Alternatively a merge request works as well of course. Thanks for the fast response! Tagged and uploaded. Security team, if you agree with my assessment that CVE-2023-40462 is a duplicate of CVE-2023-34194 (but for a separate project that embeds libxml) and that CVE-2023-40458 is a duplicate of CVE-2021-42260 (but for a separate project that embeds libxml), I can propose debdiffs for bullseye and bookworm. -- Guilhem. signature.asc Description: PGP signature
Bug#1059315: tinyxml: CVE-2023-34194 CVE-2023-40462 CVE-2023-40458
Hi, On 30.12.23 16:06, Guilhem Moulin wrote: Control: tag -1 + patch Hi, I had a look at these issues for Buster (LTS). Unfortunately the upstream project appears to be inactive. On Fri, 22 Dec 2023 at 14:50:57 +0100, Moritz Mühlenhoff wrote: CVE-2023-34194[0]: | StringEqual in TiXmlDeclaration::Parse in tinyxmlparser.cpp in | TinyXML through 2.6.2 has a reachable assertion (and application | exit) via a crafted XML document with a '\0' located after | whitespace. I attach a patch for this. Felix, I can upload an NMU for sid if you'd like. Thanks for working on this! There are some minor changes staged in the salsa git repo. It would be good to include them as well. Feel free to push the patch to git and upload. Alternatively a merge request works as well of course. Cheers, Felix
Bug#1059315: tinyxml: CVE-2023-34194 CVE-2023-40462 CVE-2023-40458
Control: tag -1 + patch Hi, I had a look at these issues for Buster (LTS). Unfortunately the upstream project appears to be inactive. On Fri, 22 Dec 2023 at 14:50:57 +0100, Moritz Mühlenhoff wrote: > CVE-2023-34194[0]: > | StringEqual in TiXmlDeclaration::Parse in tinyxmlparser.cpp in > | TinyXML through 2.6.2 has a reachable assertion (and application > | exit) via a crafted XML document with a '\0' located after > | whitespace. I attach a patch for this. Felix, I can upload an NMU for sid if you'd like. > CVE-2023-40462[1]: > | The ACEManager component of ALEOS 4.16 and earlier does not > | perform input sanitization during authentication, which could > | potentially result in a Denial of Service (DoS) condition for > | ACEManager without impairing other router functions. ACEManager > | recovers from the DoS condition by restarting within ten seconds of > | becoming unavailable. AFAICT this is identical to CVE-2023-34194, but for ALEOS' ACEManager: “TinyXML has not been supported for some years, but ALEOS still embeds its source code directly into one of its libraries (libSWIALEOS.so). […] For ACEmanager, the bug can be triggered similarly to CVE-2023-40458, as shown below in Figure 20. Unlike CVE-2023-40458, though, it crashes the application, and since ACEmanager runs as a service, it will be automatically restarted in a few seconds. However, attackers can keep sending malformed XML documents, prolonging the DoS indefinitely. All currently logged-in users are also immediately logged out. Attackers do not need to be authenticated to exploit the issue.” [0] > CVE-2023-40458[2]: > | Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability > | in Sierra Wireless, Inc ALEOS could potentially allow a remote > | attacker to trigger a Denial of Service (DoS) condition for > | ACEManager without impairing other router functions. This condition > | is cleared by restarting the device. AFAICT this issue is a duplicate of CVE-2021-42260. §9.4 of the report[0] reads that CVE-2023-40458 is triggered by a malformed XML document containing 0xef (TIXML_UTF_LEAD_0) followed (p+1 or p+2) by 0x00, which is exactly what CVE-2021-42260 is about. https://sourceforge.net/p/tinyxml/git/merge-requests/1/ , which is included in buster-security, bullseye, bookworm and sid, evade the infinite loop by blindly advancing the pointer. Cheers, -- Guilhem. [0] https://www.forescout.com/resources/sierra21-vulnerabilities From: Guilhem Moulin Date: Sat, 30 Dec 2023 14:15:54 +0100 Subject: Avoid reachable assertion via crafted XML document with a '\0' located after whitespace Bug: https://www.forescout.com/resources/sierra21-vulnerabilities Bug-Debian: https://bugs.debian.org/1059315 Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-34194 Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-40462 --- tinyxmlparser.cpp | 4 1 file changed, 4 insertions(+) diff --git a/tinyxmlparser.cpp b/tinyxmlparser.cpp index 8aa0dfa..1601962 100644 --- a/tinyxmlparser.cpp +++ b/tinyxmlparser.cpp @@ -1606,6 +1606,10 @@ const char* TiXmlDeclaration::Parse( const char* p, TiXmlParsingData* data, TiXm } p = SkipWhiteSpace( p, _encoding ); + if ( !p || !*p ) + { + break; + } if ( StringEqual( p, "version", true, _encoding ) ) { TiXmlAttribute attrib; signature.asc Description: PGP signature
Bug#1059315: tinyxml: CVE-2023-34194 CVE-2023-40462 CVE-2023-40458
Source: tinyxml X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, https://www.forescout.com/resources/sierra21-vulnerabilities mentions three security issues in Tinyxml: CVE-2023-34194[0]: | StringEqual in TiXmlDeclaration::Parse in tinyxmlparser.cpp in | TinyXML through 2.6.2 has a reachable assertion (and application | exit) via a crafted XML document with a '\0' located after | whitespace. CVE-2023-40462[1]: | The ACEManager component of ALEOS 4.16 and earlier does not | perform input sanitization during authentication, which could | potentially result in a Denial of Service (DoS) condition for | ACEManager without impairing other router functions. ACEManager | recovers from the DoS condition by restarting within ten seconds of | becoming unavailable. CVE-2023-40458[2]: | Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability | in Sierra Wireless, Inc ALEOS could potentially allow a remote | attacker to trigger a Denial of Service (DoS) condition for | ACEManager without impairing other router functions. This condition | is cleared by restarting the device. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-34194 https://www.cve.org/CVERecord?id=CVE-2023-34194 [1] https://security-tracker.debian.org/tracker/CVE-2023-40462 https://www.cve.org/CVERecord?id=CVE-2023-40462 [2] https://security-tracker.debian.org/tracker/CVE-2023-40458 https://www.cve.org/CVERecord?id=CVE-2023-40458 Please adjust the affected versions in the BTS as needed.