[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Re: Out-of-bounds Read in the libxml2's htmlParseNameComplex() function
From:       Salvatore Bonaccorso <carnil () debian ! org>
Date:       2016-01-26 20:34:28
Message-ID: 20160126203428.GA30775 () eldamar ! local
[Download RAW message or body]

Hi,

On Tue, Jan 26, 2016 at 12:49:12PM -0500, cve-assign@mitre.org wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> > HTMLparser.c line:2517 :
> > 
> >        return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
> > 
> > "ctxt->input->cur - len"  cause Out-of-bounds Read.
> > 
> > heap-buffer-overflow
> > READ of size 1
> 
> Use CVE-2016-2073.
> 
> 
> > From: Salvatore Bonaccorso
> > 
> > While checking upstream bugzilla to see if that was reported I noticed
> > 
> > https://bugzilla.gnome.org/show_bug.cgi?id=749115
> > 
> > Does this have the same root cause?
> 
> The CVE-2016-2073 PoC is an '&' followed by three characters, one of
> which is a 0273 character. The PoC in 749115 has an unexpected
> character immediately after a "<!DOCTYPE html" substring. We feel that
> the CVE-2016-2073 report can have that unique ID on the basis of (at
> least) a different attack methodology. CVE assignment for 749115 is
> also possible unless 749115 already has a CVE ID.

Thank you for the clarification. Can you assign an additional CVE for
the 749115 issue?

Regards,
Salvatore
[prev in list] [next in list] [prev in thread] [next in thread]