Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 17 May 2016 17:16:17 -0300
From: Gustavo Grieco <gustavo.grieco@...il.com>
To: oss-security@...ts.openwall.com
Cc: sebastian@...ping.org, karl@...lawek.net
Subject: CVE-2016-0718: Expat XML Parser Crashes on Malformed Input

CVE-2016-0718: Expat XML Parser Crashes on Malformed Input

Severity: Critical

Versions Affected: All Expat XML Parser library versions

Description: The Expat XML parser mishandles certain kinds of malformed
input documents, resulting in buffer overflows during processing and error
reporting. The overflows can manifest as a segmentation fault or as memory
corruption during a parse operation. The bugs allow for a denial of service
attack in many applications by an unauthenticated attacker, and could
conceivably result in remote code execution.

Mitigation: Applications that are using Expat should apply the
attached patch as soon as possible.

Credit: this issue was reported by Gustavo Grieco

and patched by:

* Pascal Cuoq
* Christian Heimes
* Karl Waclawek
* Gustavo Grieco
* Sebastian Pipping

View attachment "CVE-2016-0718-v2-2-1.patch" of type "text/x-patch" (26435 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ