Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 18 Nov 2015 11:30:42 -0500 (EST)
From: cve-assign@...re.org
To: ya1gaurav@...il.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: Buffer overflow in libxml2

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Please assign CVE for below vulnerability

There were two buffer over-read issues reported at different times; we
are assigning two CVE IDs.

> https://bugzilla.gnome.org/show_bug.cgi?id=756263
> Reported: 2015-10-08 21:12 UTC by Hugh Davenport
> 
> Buffer overead with XML parser in xmlNextChar
> 
> AddressSanitizer: global-buffer-overflow ... READ of size 1
> 
> there is potential to get input that could cause out of bounds memory
> to be returned to userspace through the use of libxml2, which could be
> used to cause denial of service attacks, or gain sensitive
> information.
> 
> https://git.gnome.org/browse/libxml2/commit/?id=ab2b9a93ff19cedde7befbf2fcc48c6e352b6cbe

Use CVE-2015-8241.


> https://bugzilla.gnome.org/show_bug.cgi?id=756372
> Reported: 2015-10-11 03:18 UTC by Hugh Davenport 
> 
> Buffer overead with HTML parser in push mode in xmlSAX2TextNode
> 
> AddressSanitizer: stack-buffer-overflow ... READ of size 1
> 
> there is potential to get input that could cause out of bounds memory
> to be returned to userspace through the use of libxml2, which could be
> used to cause denial of service attacks, or gain sensitive
> information.

(apparently https://git.gnome.org/browse/libxml2/log/HTMLparser.c
does not yet have a commit)

Use CVE-2015-8242.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWTKddAAoJEL54rhJi8gl5cb0QAI/a8SGInkhVa0m5K3eWYbE4
F+XXCozYZidv46Ld8zJA/2dXZJ9XlD0sve5THsMH+EKcxPRWrKQMZxhREH9XlygP
X6SxOT7B2rbxCBW6bj8RaCg23JcbdP+Ev4d6Zd+9eRszvb6fRlAIS/FqbNEIQs1u
ZOG3NkNCBuVrKICzzRy45xji+MdCaJzlP0rZzvdU/+Alhe5Y3ugAmnsHcq83ghND
WZfB6PMJDJhPd9yg9cP+2DR8o1iwrln15l0voNAtgVjdioAQgI3XCxOsj4A8W5uI
vVxtm2c3a4nwJokkeStcKHMHwrgABgk9ijOiePOOAbbKRQYuf+PSh8ziWZCJyH08
HgEmUva2ONaDPKuuWz6AQ62vGzSpmyXFz5dE/zJIhxB3IJKoVv4gonVSxc5nu4Ar
Q0yNaLr+xRd2NT3TLXL8wck1QElBjHBPH8HDrb/Q6A4Codqk/tBDzRc0vOWQ4FfY
7tedv+1zMjx4FIJhK/SnqnQa4ZG9lypvVP00PCbZnpPuiVyLlOPZPxRx7Ifteom8
zM6+5fsvHMv4vmpB84BOz+9j9AKv36wM1WtdimST4Bl/Pg7f22+v3PJQl06mWB43
/9lMvsCYbn+NpjBlFOykcrTjUeKYgK8h9tKkDMca2dXAzMpEZHZyR44qXyzSx2rz
glyY1KJD+cauQcYNVFTC
=8GTa
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ