Date: Tue, 26 Jan 2016 21:34:28 +0100 From: Salvatore Bonaccorso <carnil@...ian.org> To: oss-security@...ts.openwall.com Cc: limingxing@....cn, cve-assign@...re.org Subject: Re: Re: Out-of-bounds Read in the libxml2's htmlParseNameComplex() function Hi, On Tue, Jan 26, 2016 at 12:49:12PM -0500, cve-assign@...re.org wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > > HTMLparser.c line:2517 : > > > > return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len)); > > > > "ctxt->input->cur - len" cause Out-of-bounds Read. > > > > heap-buffer-overflow > > READ of size 1 > > Use CVE-2016-2073. > > > > From: Salvatore Bonaccorso > > > > While checking upstream bugzilla to see if that was reported I noticed > > > > https://bugzilla.gnome.org/show_bug.cgi?id=749115 > > > > Does this have the same root cause? > > The CVE-2016-2073 PoC is an '&' followed by three characters, one of > which is a 0273 character. The PoC in 749115 has an unexpected > character immediately after a "<!DOCTYPE html" substring. We feel that > the CVE-2016-2073 report can have that unique ID on the basis of (at > least) a different attack methodology. CVE assignment for 749115 is > also possible unless 749115 already has a CVE ID. Thank you for the clarification. Can you assign an additional CVE for the 749115 issue? Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ