Bug 530604 (CVE-2009-3627) - CVE-2009-3627 perl-HTML-Parser: Production of invalid (wide) character(s) while parsing HTML entity(ies) with invalid UTF-8 character(s)
Summary: CVE-2009-3627 perl-HTML-Parser: Production of invalid (wide) character(s) whi...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2009-3627
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: https://issues.apache.org/SpamAssassi...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-10-23 17:42 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:33 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-11-13 15:15:23 UTC


Attachments (Terms of Use)

Description Jan Lieskovsky 2009-10-23 17:42:56 UTC
Originally Mark Martinec reported the following issue to be present in 
HTML-Parser: [1]
http://github.com/gisle/html-parser/commit/b9aae1e43eb2c8e989510187cff0ba3e996f9a4c

After preliminary analysis we concluded this results in:
---------------------------------------------------------
A denial of service flaw was found in the way HTML-Parser
used to decode certain HTML entities. A remote attacker 
could provide a specially-crafted string (containing HTML
entities) leading to infinite loop, when processed by
the parser.

But further, more detailed analysis of the issue confirmed
there is no additional, separated security issue (to CVE-2009-3626)
present in HTML-Parser. While [1] is still bug, it only
"helps" to expose the consequences of:

http://rt.perl.org/rt3/Public/Bug/Display.html?id=69973
http://perl5.git.perl.org/perl.git/commit/0abd0d78a73da1c4d13b1c700526b7e5d03b32d4
http://rt.perl.org/rt3/Ticket/Attachment/617489/295383/

in more quicker way, and doesn't impersonate security issue
in HTML-Parser itself.

Comment 1 Jan Lieskovsky 2009-10-23 17:46:24 UTC
This issue affects the versions of the perl-HTML-Parser package,
as shipped with Red Hat Enterprise Linux 3, 4, and 5.

This issue affects the versions of the perl-HTML-Parser package,
as shipped with Fedora releases of 10 and 11, and as scheduled
to appear in Fedora release of 12.

Comment 8 Vincent Danen 2009-11-13 15:35:53 UTC
Red Hat does not believe this is a direct security issue.  This flaw can only lead to a crash if perl-HTML-Parser is used in conjunction with perl 5.10.1, which is not used in any supported version of Red Hat Enterprise Linux.  If used with any earlier version of perl, this flaw only leads to garbage output; there is no infinite loop that would cause a denial of service condition.  The real issue here is CVE-2009-3626, which affects only perl 5.10.1.


Note You need to log in before you can comment on or make changes to this bug.