oss-sec mailing list archives
Re: Re: Out-of-bounds Read in the libxml2's htmlParseNameComplex() function
From: Salvatore Bonaccorso <carnil () debian org>
Date: Tue, 26 Jan 2016 21:34:28 +0100
Hi, On Tue, Jan 26, 2016 at 12:49:12PM -0500, cve-assign () mitre org wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256HTMLparser.c line:2517 : return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len)); "ctxt->input->cur - len" cause Out-of-bounds Read. heap-buffer-overflow READ of size 1Use CVE-2016-2073.From: Salvatore Bonaccorso While checking upstream bugzilla to see if that was reported I noticed https://bugzilla.gnome.org/show_bug.cgi?id=749115 Does this have the same root cause?The CVE-2016-2073 PoC is an '&' followed by three characters, one of which is a 0273 character. The PoC in 749115 has an unexpected character immediately after a "<!DOCTYPE html" substring. We feel that the CVE-2016-2073 report can have that unique ID on the basis of (at least) a different attack methodology. CVE assignment for 749115 is also possible unless 749115 already has a CVE ID.
Thank you for the clarification. Can you assign an additional CVE for the 749115 issue? Regards, Salvatore
Current thread:
- Out-of-bounds Read in the libxml2's htmlParseNameComplex() function limingxing (Jan 25)
- Re: Out-of-bounds Read in the libxml2's htmlParseNameComplex() function Salvatore Bonaccorso (Jan 26)
- Re: Out-of-bounds Read in the libxml2's htmlParseNameComplex() function cve-assign (Jan 26)
- Re: Re: Out-of-bounds Read in the libxml2's htmlParseNameComplex() function Salvatore Bonaccorso (Jan 26)
- Re: Out-of-bounds Read in the libxml2's htmlParseNameComplex() function cve-assign (Feb 03)
- Re: Re: Out-of-bounds Read in the libxml2's htmlParseNameComplex() function Salvatore Bonaccorso (Jan 26)