Date: Tue, 14 Jul 2015 21:54:26 -0400 (EDT) From: cve-assign@...re.org To: fernando@...l-life.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE Request - tidy 0.99 / tidy5 heap-buffer-overflow -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > The original discovery was about memory corruption, > and then the vendor mentioned an attack variation in which a small > file can lead to a 4 Gb allocation, which potentially would be > successful on some platform and cause a DoS. > In other words, the first CVE would be for > https://github.com/htacg/tidy-html5/issues/217 with: > > AddressSanitizer: heap-buffer-overflow > WRITE of size 1 > > tmbstr cp = s = (tmbstr) TidyAlloc( allocator, 1+len ); > Notice the plus 1, so it arrives at TidyAlloc with a ZERO!!! > > Now it seems malloc does not mind a zero value, malloc(0), and > dutifully returns a pointer > > Then tmbstrndup does the corruption, with - > > while ( len-- > 0 && (*cp++ = *str++) ) /**/; > > Of course ( len-- > 0 ) will be true until the 4294967295 expires ;=)) > > But thankfully the corruption stops when a 0 is reached in the lexer > with (*cp++ = *str++). As indicated in this case it is storing the > attribute "href", but that is 4+ bytes of corruption. Use CVE-2015-5522. > The second CVE would be for > https://github.com/htacg/tidy-html5/issues/217#issuecomment-108565501 > with: > > In some cases this bug could exibit a different problem like parsing > the snippet <a <?xm \0xd?> href="">. > > Now the lexer buffer will contain 2, or more IsWhite() chars and len > would be reduced to -2, or less, which means the malloc buffer > allocation would be a giant 4,294,967,295 byte allocation, a value > lots of OSes will reject Use CVE-2015-5523. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVpby0AAoJEKllVAevmvmsYlgIALsomSkXtN2xeMmqFxVFu3+y kdUmzXii7CB5uQnwG/AOxnsj1iv0TahON89VTt07ODF+5wDIY0xPp5gaP/YHG65l AXU+HBIDpDe5YSQNSUrn+DyPVbNzweNWXXrSUtTYF/bIgzSPPbHM6K6nHblNAFfQ N+rq/O5QeB/xG3DAv+Rj3FzgRZakfRboUDDLQrhBeEy6goys99cgxD09aWqmQSNB 5kB2tQNeCnJ959Ds61joQdgA5iTo9ASxjRMSvanNLD4xW/ofuYGFXkYgFw0cJxTA zx1FJyxiq7vHW/DpHZ987W3w4fLV2OjlwiJppkVkyoav+F8T6PRh43OFEtdudNk= =hW30 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.