Bug 2215234 (CVE-2023-34623)

Summary: CVE-2023-34623 jtidy: denial of service via crafted object that uses cyclic dependencies
Product: [Other] Security Response Reporter: Sandipan Roy <saroy>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aazores, abenaiss, ahanwate, aileenc, alampare, alazarot, anstephe, aschwart, asoldano, ataylor, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, ccranfor, cdewolf, chazlett, chfoley, cmah, cmiranda, darran.lofthouse, dbruscin, dfreiber, dhanak, dkreling, dosoudil, drichtar, drosa, drow, eaguilar, ebaron, ellin, emingora, eric.wittmann, fjuma, fmariani, fmongiar, gjospin, gmalinko, hhorak, ibek, istudens, ivassile, iweiss, janstey, jburrell, jkang, jnethert, jolong, jorton, jpallich, jpechane, jpoth, jrokos, jscholz, juneau, kvanderr, kverlaen, lbacciot, lgao, lthon, mbenatto, mizdebsk, mnovotny, mosmerov, mposolda, msochure, mstefank, msvehla, nipatil, nwallace, pantinor, pcongius, pdelbell, pdrozd, peholase, pesilva, pgallagh, pjindal, pmackay, pskopek, rguimara, rjohnson, rkieley, rkubis, rogbas, rowaters, rruss, rstancel, rstepani, sausingh, sfroberg, shbose, smaestri, ssilvert, sthorger, swoodman, tcunning, thoger, tom.jenkinson, vkumar, vmuzikar, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jtidy 1.0.4 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in jtidy when parsing untrusted html. If the parser is running on unsanitized user input, an attacker could craft a request that causes the parser to crash by stack overflow, resulting in a denial of service (DoS).
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2215235, 2215236, 2230041, 2230043, 2230044, 2230046, 2230047    
Bug Blocks: 2215237    

Description Sandipan Roy 2023-06-15 06:39:00 UTC 
An issue was discovered jtidy thru r938 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

https://github.com/trajano/jtidy/issues/4
Comment 17 TEJ RATHI 2023-08-08 14:33:31 UTC 
Created jtidy tracking bugs for this issue:

Affects: fedora-37 [bug 2230046]
Affects: fedora-38 [bug 2230047]