Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon,  9 May 2016 19:25:19 -0400 (EDT)
From: cve-assign@...re.org
To: gustavo.grieco@...il.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE requested: two stack exhaustation parsing xml files using mxml

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> We found two stack exhaustion conditions that can easily crash mxml
> when parsing an xml.

(The two example XML documents seem dissimilar. For example,
stack-exhaustion-2.xml starts with "<?xml" whereas
stack-exhaustion-1.xml does not.)


> Recursion using mxmlDelete at mxml-node.c:217 (stack-exhaustion-1.xml)

Use CVE-2016-4570.


> Recursion using mxml_write_node at mxml-file.c:2739 (stack-exhaustion-2.xml)

Use CVE-2016-4571.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXMRwEAAoJEHb/MwWLVhi2WDIP/jQvTGHSQ5QKY3VfTq5WaVji
Ykggk/CpRwh8z7Cf3xPdNkWv4dUXh8mG0f7w7hJNiVMP7wywinNUh9mLCorwKdkQ
4I8dQxKdF3OaGXnGHQxBKnQTRGZJmgNVs+ShQKOQIPxlC7F+fd5XF3kz8yC6oCdc
hfiGkKH0p987wDExPluTuztFNmGrYpEPt22i644dDw7GegtvG0Fm7D5V6SsxTIsI
SYztQnZod9S/MmgKRrThakIKr9/uzFTDEcCiOVlJwBAdiKaPjO3CZMgSiINHXicU
75fNVh67FKFJDIYe4jRASdMabRgnVSLZdXP/VTcBo3lJa8A6v5wnhXn0HbPx0NPL
P/sfs29Q6WV5Ean9uGCWqGi2ME3420xUFSu0/0xo4ewaj5QKPoQOJJM2tEy6U3wS
uWmjYfh0K6wxUT7oQCo9Itlf/utgJqSA75K4J1UFfjbKNqKamA/hcCNcHmSzVSxK
cBItGvGPDH+OjYA61wIOJt6PVwuSPGpcXpZPUG95t6eNXVjoSsbKAXfZbotbE5xd
k02vrTth2t4rYwgbjfVJ2eYnW8yE42XGKzDzVTd01mohUNxXl8WzE2YPyYu6g6fx
oXuGPZlUVtPuYjy6rLSGZ3VQoi7JUwOp4raUGHM5EVFhLCHDCzOt2quyxwqJ9omR
o07Fd42eg20ZAHDPfcoS
=/ZGU
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ