Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 4 Jun 2016 18:40:21 +0200
From: Gustavo Grieco <gustavo.grieco@...il.com>
To: cve-assign@...re.org
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE request: DoS in phantomjs 2.1.1 rasterizing websites

2016-06-02 18:18 GMT+02:00  <cve-assign@...re.org>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
>> A denegation of service vulnerability was found in phantomjs when it
>> is processing a particular svg file. This crash caused by a null
>> pointer dereference can be easily used by a malicious website to
>> avoid rasterizing when it is crawled using phantomjs 2.1.1. Previous
>> versions like 1.9.x are not affected. A reproducer is available here:
>>
>> https://github.com/ariya/phantomjs/issues/14244
>
> Please provide more information about the threat model. Do you mean
> that a single PhantomJS process is commonly used to access a series of
> independently operated web sites, and the operator of any one web site
> could disrupt this use case by placing the crafted SVG file on their
> site? Or, do you mean that the only known impact is that one web-site
> operator could prevent PhantomJS access (e.g., screenshotting) of
> their own web site by using the crafted SVG file -- in other words,
> the crash would not realistically disrupt any use of PhantomJS by the
> same client to access other web sites?

For sure, a malicious website can use it to avoid screenshoting and
other automatic operations just including such image.

>
> Is ongoing use of PhantomJS disrupted only in the
> http://phantomjs.org/api/webserver/ case? In other words, any one
> web-site operator could crash the web server within PhantomJS, and
> there would be an outage until the web server within PhantomJS is
> manually restarted?

I'm not sure about this. I was hopping someone from oss-security can
comment on this.

>
> - --
> CVE Assignment Team
> M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
> [ A PGP key is available for encrypted communications at
>   http://cve.mitre.org/cve/request_id.html ]
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQIcBAEBCAAGBQJXUFvYAAoJEHb/MwWLVhi2qSAP/ieu7bSO3I9bPOqkc5+5YkI3
> /rjZASGY/nV5BCoDv0F7uv3AAKQYd+EzKoa9Nu6soOo2LCnhE4TdFL9VhdJQcSLk
> UwGcx+Iqk/s44igsWML2GnTOsSldxzLHKP9a1IDYj+lU+kZ07yYXytUlx1bbKJNZ
> w2nzT2+sn4V0pHkRMx0a8YkugzTJzD2MGkYxDsLUh0aTDvbA/U53S20obYe7wJjq
> xwinllQRW8cE/Rf0yglxbJpBeV3/dsdOcKC/lnNYbvGMDYWe3t8DIpqVdDXM7nlg
> NfqfDU7pl9q31FpEmxnSzTi7MmnWimgQbxAT/Jpi59sGIx0+XE9KqNdwPpj4YQYT
> FCUujyJBNNdU0+yLHi5NHb6fsT65Wq3AaTK/10220siLAfFfNU11bT/nIUv572Aa
> j81M04BwotyzuQE76MRrXZKswncHyYJZPY5LCvr4KfBntwBfxwJx/xxdSPOtQA59
> mkV1gvVBbL+ANJUZOPuiRNTi95UCTi4z9CEfNgIONCMxtLIvCJZ65QGDGvL+kV8o
> ko8+W5/7FWR2j53AhxGYICoiXlLc/v3OVektEx5LwFxp6Mc6IFqhbsnIy6m+p8NU
> JQVoDfj1NLy+oRzh+7aysYFOUxqAMU20fQLReZNfBmvjRz9DPiYnsZcmd8igYP6K
> 4QzOCYC0rF1y6PbhjAd0
> =2USQ
> -----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ