oss-sec mailing list archives
Re: CVE Request - tidy 0.99 / tidy5 heap-buffer-overflow
From: cve-assign () mitre org
Date: Tue, 14 Jul 2015 21:54:26 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The original discovery was about memory corruption, and then the vendor mentioned an attack variation in which a small file can lead to a 4 Gb allocation, which potentially would be successful on some platform and cause a DoS.
In other words, the first CVE would be for https://github.com/htacg/tidy-html5/issues/217 with: AddressSanitizer: heap-buffer-overflow WRITE of size 1 tmbstr cp = s = (tmbstr) TidyAlloc( allocator, 1+len ); Notice the plus 1, so it arrives at TidyAlloc with a ZERO!!! Now it seems malloc does not mind a zero value, malloc(0), and dutifully returns a pointer Then tmbstrndup does the corruption, with - while ( len-- > 0 && (*cp++ = *str++) ) /**/; Of course ( len-- > 0 ) will be true until the 4294967295 expires ;=)) But thankfully the corruption stops when a 0 is reached in the lexer with (*cp++ = *str++). As indicated in this case it is storing the attribute "href", but that is 4+ bytes of corruption.
Use CVE-2015-5522.
The second CVE would be for https://github.com/htacg/tidy-html5/issues/217#issuecomment-108565501 with: In some cases this bug could exibit a different problem like parsing the snippet <a <?xm \0xd?> href="">. Now the lexer buffer will contain 2, or more IsWhite() chars and len would be reduced to -2, or less, which means the malloc buffer allocation would be a giant 4,294,967,295 byte allocation, a value lots of OSes will reject
Use CVE-2015-5523. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVpby0AAoJEKllVAevmvmsYlgIALsomSkXtN2xeMmqFxVFu3+y kdUmzXii7CB5uQnwG/AOxnsj1iv0TahON89VTt07ODF+5wDIY0xPp5gaP/YHG65l AXU+HBIDpDe5YSQNSUrn+DyPVbNzweNWXXrSUtTYF/bIgzSPPbHM6K6nHblNAFfQ N+rq/O5QeB/xG3DAv+Rj3FzgRZakfRboUDDLQrhBeEy6goys99cgxD09aWqmQSNB 5kB2tQNeCnJ959Ds61joQdgA5iTo9ASxjRMSvanNLD4xW/ofuYGFXkYgFw0cJxTA zx1FJyxiq7vHW/DpHZ987W3w4fLV2OjlwiJppkVkyoav+F8T6PRh43OFEtdudNk= =hW30 -----END PGP SIGNATURE-----
Current thread:
- Re: CVE Request - tidy 0.99 / tidy5 heap-buffer-overflow Fernando Muñoz (Jul 10)
- Re: Re: CVE Request - tidy 0.99 / tidy5 heap-buffer-overflow Mark Felder (Jul 12)
- <Possible follow-ups>
- Re: CVE Request - tidy 0.99 / tidy5 heap-buffer-overflow cve-assign (Jul 13)
- Re: CVE Request - tidy 0.99 / tidy5 heap-buffer-overflow Alessandro Ghedini (Jul 13)
- Re: Re: CVE Request - tidy 0.99 / tidy5 heap-buffer-overflow Alessandro Ghedini (Jul 13)
- Re: CVE Request - tidy 0.99 / tidy5 heap-buffer-overflow Fernando Muñoz (Jul 13)
- Re: CVE Request - tidy 0.99 / tidy5 heap-buffer-overflow Alessandro Ghedini (Jul 13)
- Re: CVE Request - tidy 0.99 / tidy5 heap-buffer-overflow cve-assign (Jul 14)