Date: Tue, 14 Jul 2015 21:54:26 -0400 (EDT) From: cve-assign@...re.org To: fernando@...l-life.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE Request - tidy 0.99 / tidy5 heap-buffer-overflow -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > The original discovery was about memory corruption, > and then the vendor mentioned an attack variation in which a small > file can lead to a 4 Gb allocation, which potentially would be > successful on some platform and cause a DoS. > In other words, the first CVE would be for > https://github.com/htacg/tidy-html5/issues/217 with: > > AddressSanitizer: heap-buffer-overflow > WRITE of size 1 > > tmbstr cp = s = (tmbstr) TidyAlloc( allocator, 1+len ); > Notice the plus 1, so it arrives at TidyAlloc with a ZERO!!! > > Now it seems malloc does not mind a zero value, malloc(0), and > dutifully returns a pointer > > Then tmbstrndup does the corruption, with - > > while ( len-- > 0 && (*cp++ = *str++) ) /**/; > > Of course ( len-- > 0 ) will be true until the 4294967295 expires ;=)) > > But thankfully the corruption stops when a 0 is reached in the lexer > with (*cp++ = *str++). As indicated in this case it is storing the > attribute "href", but that is 4+ bytes of corruption. Use CVE-2015-5522. > The second CVE would be for > https://github.com/htacg/tidy-html5/issues/217#issuecomment-108565501 > with: > > In some cases this bug could exibit a different problem like parsing > the snippet <a <?xm \0xd?> href="">. > > Now the lexer buffer will contain 2, or more IsWhite() chars and len > would be reduced to -2, or less, which means the malloc buffer > allocation would be a giant 4,294,967,295 byte allocation, a value > lots of OSes will reject Use CVE-2015-5523. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVpby0AAoJEKllVAevmvmsYlgIALsomSkXtN2xeMmqFxVFu3+y kdUmzXii7CB5uQnwG/AOxnsj1iv0TahON89VTt07ODF+5wDIY0xPp5gaP/YHG65l AXU+HBIDpDe5YSQNSUrn+DyPVbNzweNWXXrSUtTYF/bIgzSPPbHM6K6nHblNAFfQ N+rq/O5QeB/xG3DAv+Rj3FzgRZakfRboUDDLQrhBeEy6goys99cgxD09aWqmQSNB 5kB2tQNeCnJ959Ds61joQdgA5iTo9ASxjRMSvanNLD4xW/ofuYGFXkYgFw0cJxTA zx1FJyxiq7vHW/DpHZ987W3w4fLV2OjlwiJppkVkyoav+F8T6PRh43OFEtdudNk= =hW30 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ