Bug 530604 (CVE-2009-3627)

Summary: CVE-2009-3627 perl-HTML-Parser: Production of invalid (wide) character(s) while parsing HTML entity(ies) with invalid UTF-8 character(s)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: kasal, mmaslano, security-response-team, vdanen, wtogami
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6225
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-11-13 15:15:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Lieskovsky 2009-10-23 17:42:56 UTC 
Originally Mark Martinec reported the following issue to be present in 
HTML-Parser: [1]
http://github.com/gisle/html-parser/commit/b9aae1e43eb2c8e989510187cff0ba3e996f9a4c

After preliminary analysis we concluded this results in:
---------------------------------------------------------
A denial of service flaw was found in the way HTML-Parser
used to decode certain HTML entities. A remote attacker 
could provide a specially-crafted string (containing HTML
entities) leading to infinite loop, when processed by
the parser.

But further, more detailed analysis of the issue confirmed
there is no additional, separated security issue (to CVE-2009-3626)
present in HTML-Parser. While [1] is still bug, it only
"helps" to expose the consequences of:

http://rt.perl.org/rt3/Public/Bug/Display.html?id=69973
http://perl5.git.perl.org/perl.git/commit/0abd0d78a73da1c4d13b1c700526b7e5d03b32d4
http://rt.perl.org/rt3/Ticket/Attachment/617489/295383/

in more quicker way, and doesn't impersonate security issue
in HTML-Parser itself.
Comment 1 Jan Lieskovsky 2009-10-23 17:46:24 UTC 
This issue affects the versions of the perl-HTML-Parser package,
as shipped with Red Hat Enterprise Linux 3, 4, and 5.

This issue affects the versions of the perl-HTML-Parser package,
as shipped with Fedora releases of 10 and 11, and as scheduled
to appear in Fedora release of 12.
Comment 8 Vincent Danen 2009-11-13 15:35:53 UTC 
Red Hat does not believe this is a direct security issue.  This flaw can only lead to a crash if perl-HTML-Parser is used in conjunction with perl 5.10.1, which is not used in any supported version of Red Hat Enterprise Linux.  If used with any earlier version of perl, this flaw only leads to garbage output; there is no infinite loop that would cause a denial of service condition.  The real issue here is CVE-2009-3626, which affects only perl 5.10.1.