Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 26 Jan 2016 21:34:28 +0100
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Cc: limingxing@....cn, cve-assign@...re.org
Subject: Re: Re: Out-of-bounds Read in the libxml2's
 htmlParseNameComplex() function

Hi,

On Tue, Jan 26, 2016 at 12:49:12PM -0500, cve-assign@...re.org wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> > HTMLparser.c line:2517 :
> > 
> >        return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
> > 
> > "ctxt->input->cur - len"  cause Out-of-bounds Read.
> > 
> > heap-buffer-overflow
> > READ of size 1
> 
> Use CVE-2016-2073.
> 
> 
> > From: Salvatore Bonaccorso
> > 
> > While checking upstream bugzilla to see if that was reported I noticed
> > 
> > https://bugzilla.gnome.org/show_bug.cgi?id=749115
> > 
> > Does this have the same root cause?
> 
> The CVE-2016-2073 PoC is an '&' followed by three characters, one of
> which is a 0273 character. The PoC in 749115 has an unexpected
> character immediately after a "<!DOCTYPE html" substring. We feel that
> the CVE-2016-2073 report can have that unique ID on the basis of (at
> least) a different attack methodology. CVE assignment for 749115 is
> also possible unless 749115 already has a CVE ID.

Thank you for the clarification. Can you assign an additional CVE for
the 749115 issue?

Regards,
Salvatore

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ