Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 11 May 2016 22:44:13 +0200
From: Gustavo Grieco <gustavo.grieco@...il.com>
To: cve-assign@...re.org
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE requested: two stack exhaustation parsing xml files using mxml

2016-05-10 1:25 GMT+02:00  <cve-assign@...re.org>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
>> We found two stack exhaustion conditions that can easily crash mxml
>> when parsing an xml.
>
> (The two example XML documents seem dissimilar. For example,
> stack-exhaustion-2.xml starts with "<?xml" whereas
> stack-exhaustion-1.xml does not.)
>
>
>> Recursion using mxmlDelete at mxml-node.c:217 (stack-exhaustion-1.xml)
>
> Use CVE-2016-4570.
>
>
>> Recursion using mxml_write_node at mxml-file.c:2739 (stack-exhaustion-2.xml)
>
> Use CVE-2016-4571.

Thanks!

The report of these stack exhaustions is here:

http://www.msweet.org/bugs.php?U549 (but you need to register)

Just to clarify, since we compiled testmxml with ASAN, in order to
reproduce  using the attached files in the original binary it is
necessary to reduce a little the stack size, for instance:

$ ulimit -s 4000

The stack exhaustations are still possible with the original testmxml
binary, but it requires slightly bigger files.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.