Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 22 Nov 2015 13:40:00 -0500 (EST)
From: cve-assign@...re.org
To: hanno@...eck.de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: Libxml2: Several out of bounds reads

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://blog.fuzzing-project.org/28-Libxml2-Several-out-of-bounds-reads.html

As far as we can tell, what you mean is that:

  - http://www.xmlsoft.org/news.html mentions 10 CVE IDs

  - the descriptions of those CVE IDs seem largely unrelated to
    either 751603 or 751631

  - also, there is discussion in 751631 about possibly not having
    a CVE ID

  - the cve-assign@...re.org address was on your Cc line

and thus your own preference is for your research to have a CVE mapping
when possible.

> A malformed XML file can cause a heap out of bounds read access in the
> function xmlParseXMLDecl.

> xmlParseXMLDecl: out of bounds heap access if versionencoding="es and any UTF-8 got

> https://bugzilla.gnome.org/show_bug.cgi?id=751603
> https://git.gnome.org/browse/libxml2/commit/?id=9aa37588ee78a06ca1379a9d9356eab16686099c


> A second, very similar issue in the same function xmlParseXMLDecl.

> xmlParseXMLDecl: out of bounds heap read on 0xff char in xml declaration

> https://bugzilla.gnome.org/show_bug.cgi?id=751631
> https://git.gnome.org/browse/libxml2/commit/?id=709a952110e98621c9b78c4f26462a9d8333102e

Use CVE-2015-8317 for both 751603 and 751631.


> A malformed XML file can cause a global out of bounds read access in
> the function xmlNextChar. This only affected the git code and was never
> an issue in any release version. Upstream bug #751643

In the case of a widely used library, a vulnerability in git code,
without an affected upstream release, can sometimes have a CVE ID.
However, it would be necessary to establish that a product used the
vulnerable code. For example, at least in the past, one of the
principal libxml2 users was Chrome. At present, it seems that Chromium
is using parserInternals.c from 2.9.2, not from unreleased git code
(download
https://chromium.googlesource.com/chromium/src/+/master/third_party/libxml/src/parserInternals.c?format=TEXT
and then base64 decode that and compare it to the 2.9.2 file). Our
guess is that it is unlikely that this specific xmlNextChar
vulnerability affected a product; we are not planning to research
this, but other people can research it if they wish. There is
currently no CVE ID for 751643.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWUgt2AAoJEL54rhJi8gl52L8P/2RdsX8z7Nhp2S3GVWWZddNL
2YVKRFdxwqHfa1oMiqL8vVXnHTsBCdpjTdhsX6ORK5LhZQFLaqUsBSe8NRkoUoYq
B34M2GYVTH6HLAPzij5018F03g/EWwQCwJcBSThwqViIAZ0zSmIhY6AHZEk9jfsd
rdvepctBbIMIqLArKCopnEmsHqtaEHWqHRHjgQ/8is7PbCms2rpXZz5UbSCw1yMu
L5970e+8qCtoe/Enrvt27UX01LinZixqEKnSXl9muP+dDiHknefWgAtdIQwTtuAQ
5uuxUPznirOn0zmUsRUlf4jSgVwY1bIX2hWwsOGYp2ZYE70MrRZnlKM4GOWJr4NE
bhLgR2VCvLE53o+1YgJpa/yUEiOs9Ha/h+OqulrmmXvWM9fprfuHypqKyduQO7EX
Ry4CwyiM88Ua3CLq4vFr8nlQ03wdOkmbQ7ZeCYKeCLZcuCMwpSg4ZxR06to1K98z
+cps1tAWLl7/jzBDt6nGRsNx8vh6yqVPC02Slygbvy31/0lDcTjcNvRDf19ZEJ4w
d0lKwbj640HFwXNdGLWnDTmr0ARjLwSetHlj3ypwYkPulyrukGrIvGFjxcgFNYue
6uQSKsNa5zLr3q9eVshVcR02MYDsLlWBZEiATZXjZdxjotGacwXH3cLaCm31M9JN
LlN6eSzFCq0Q+TXc0t9b
=pJGl
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.