Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 14 Jul 2015 21:54:26 -0400 (EDT)
From: cve-assign@...re.org
To: fernando@...l-life.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request - tidy 0.99 / tidy5 heap-buffer-overflow

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> The original discovery was about memory corruption,
> and then the vendor mentioned an attack variation in which a small
> file can lead to a 4 Gb allocation, which potentially would be
> successful on some platform and cause a DoS.

> In other words, the first CVE would be for
> https://github.com/htacg/tidy-html5/issues/217 with:
> 
>   AddressSanitizer: heap-buffer-overflow
>   WRITE of size 1
> 
>   tmbstr cp = s = (tmbstr) TidyAlloc( allocator, 1+len );
>   Notice the plus 1, so it arrives at TidyAlloc with a ZERO!!!
> 
>   Now it seems malloc does not mind a zero value, malloc(0), and
>   dutifully returns a pointer
> 
>   Then tmbstrndup does the corruption, with -
> 
>   while ( len-- > 0 && (*cp++ = *str++) ) /**/;
> 
>   Of course ( len-- > 0 ) will be true until the 4294967295 expires ;=))
> 
>   But thankfully the corruption stops when a 0 is reached in the lexer
>   with (*cp++ = *str++). As indicated in this case it is storing the
>   attribute "href", but that is 4+ bytes of corruption.

Use CVE-2015-5522.


> The second CVE would be for
> https://github.com/htacg/tidy-html5/issues/217#issuecomment-108565501
> with:
> 
>   In some cases this bug could exibit a different problem like parsing
>   the snippet <a <?xm \0xd?> href="">.
> 
>   Now the lexer buffer will contain 2, or more IsWhite() chars and len
>   would be reduced to -2, or less, which means the malloc buffer
>   allocation would be a giant 4,294,967,295 byte allocation, a value
>   lots of OSes will reject

Use CVE-2015-5523.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVpby0AAoJEKllVAevmvmsYlgIALsomSkXtN2xeMmqFxVFu3+y
kdUmzXii7CB5uQnwG/AOxnsj1iv0TahON89VTt07ODF+5wDIY0xPp5gaP/YHG65l
AXU+HBIDpDe5YSQNSUrn+DyPVbNzweNWXXrSUtTYF/bIgzSPPbHM6K6nHblNAFfQ
N+rq/O5QeB/xG3DAv+Rj3FzgRZakfRboUDDLQrhBeEy6goys99cgxD09aWqmQSNB
5kB2tQNeCnJ959Ds61joQdgA5iTo9ASxjRMSvanNLD4xW/ofuYGFXkYgFw0cJxTA
zx1FJyxiq7vHW/DpHZ987W3w4fLV2OjlwiJppkVkyoav+F8T6PRh43OFEtdudNk=
=hW30
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ