Bug 1228297 (CVE-2015-5522, CVE-2015-5523)
Summary: | CVE-2015-5522 CVE-2015-5523 tidy: heap buffer overflow in ParseValue() | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vasyl Kaigorodov <vkaigoro> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | carnil, gwync, pertusus, praiskup, rdieter |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Tidy 4.9.31 | Doc Type: | Bug Fix |
Doc Text: |
It was discovered that tidy did not properly process certain character sequences. By tricking an application that is using tidy into processing a specially crafted HTML document, a remote attacker could exploit this flaw to cause a crash or, possibly, execute arbitrary code with the privileges of the affected application.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-06-11 21:04:12 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1228298, 1228299 | ||
Bug Blocks: | 1228300 |
Description
Vasyl Kaigorodov
2015-06-04 14:47:37 UTC
Created tidy tracking bugs for this issue: Affects: fedora-all [bug 1228298] Affects: epel-all [bug 1228299] https://github.com/htacg/tidy-html5/issues/217 has a reasonable analysis, I don't think I can add much to that. It may be possible to gain a reasonable control about where exactly we end up writing to by using control characters intelligently. Given that this library is used by php-tidy and php is full of function pointers, code execution appears reasonable. Statement: This issue affects the versions of tidy as shipped with Red Hat Enterprise Linux 6. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. From https://github.com/htacg/tidy-html5/issues/217#issuecomment-108565501: """ In some cases this bug could exibit a different problem like parsing the snippet <a <?xm \0xd?> href="">. Now the lexer buffer will contain 2, or more IsWhite() chars and len would be reduced to -2, or less, which means the malloc buffer allocation would be a giant 4,294,967,295 byte allocation, a value lots of OSes will reject. """ Separate CVE-2015-5523 was assigned to the above issue: http://seclists.org/oss-sec/2015/q3/116 Upstream commit fixes both CVE-2015-5522 and CVE-2015-5523, also the Impact, CVSS and CWE for CVE-2015-5523 won't be any different from CVE-2015-5522 - having 2 CVEs tracked under single bug seems reasonable in this case. This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2015-5522 https://access.redhat.com/security/cve/cve-2015-5523 |