Bugzilla – Bug 933588
VUL-1: CVE-2015-5522,CVE-2015-5523: tidy: Heap-based buffer-overflow in tidy/libtidy
Last modified: 2017-06-15 21:25:20 UTC
Recently a heap-based buffer overflow in the lexer of tidy5 was discovered which can be triggered by malformed input [1]. This also affects the latest version of the original W3C tidy project[2] where tidy5 was forked from and which is packaged in all supported releases of openSUSE including Factory. [1] https://github.com/htacg/tidy-html5/issues/217 [2] http://tidy.sourceforge.net/
http://www.openwall.com/lists/oss-security/2015/06/04/2
This is an autogenerated message for OBS integration: This bug (933588) was mentioned in https://build.opensuse.org/request/show/310235 Factory / tidy https://build.opensuse.org/request/show/310239 13.2+13.1 / tidy
Affects SLE 11/12 SDK.
Created attachment 636864 [details] c18f27a58792f7fbd0b30a0ff50d6b40a82f940d.patch On SLE 12, the relevant hunk of https://github.com/htacg/tidy-html5/commit/c18f27a58792f7fbd0b30a0ff50d6b40a82f940d applies
bugbot adjusting priority
openSUSE-SU-2015:1050-1: An update that contains security fixes can now be installed. Category: security (moderate) Bug References: 933588 CVE References: Sources used: openSUSE 13.2 (src): tidy-1.0.20100204cvs-19.3.1 openSUSE 13.1 (src): tidy-1.0.20100204cvs-17.3.1
no cve yet
http://seclists.org/oss-sec/2015/q3/116 The original discovery was about memory corruption, and then the vendor mentioned an attack variation in which a small file can lead to a 4 Gb allocation, which potentially would be successful on some platform and cause a DoS. In other words, the first CVE would be for https://github.com/htacg/tidy-html5/issues/217 with: AddressSanitizer: heap-buffer-overflow WRITE of size 1 tmbstr cp = s = (tmbstr) TidyAlloc( allocator, 1+len ); Notice the plus 1, so it arrives at TidyAlloc with a ZERO!!! Now it seems malloc does not mind a zero value, malloc(0), and dutifully returns a pointer Then tmbstrndup does the corruption, with - while ( len-- > 0 && (*cp++ = *str++) ) /**/; Of course ( len-- > 0 ) will be true until the 4294967295 expires ;=)) But thankfully the corruption stops when a 0 is reached in the lexer with (*cp++ = *str++). As indicated in this case it is storing the attribute "href", but that is 4+ bytes of corruption. Use CVE-2015-5522. The second CVE would be for https://github.com/htacg/tidy-html5/issues/217#issuecomment-108565501 with: In some cases this bug could exibit a different problem like parsing the snippet <a <?xm \0xd?> href="">. Now the lexer buffer will contain 2, or more IsWhite() chars and len would be reduced to -2, or less, which means the malloc buffer allocation would be a giant 4,294,967,295 byte allocation, a value lots of OSes will reject Use CVE-2015-5523.
SUSE-SU-2015:1513-1: An update that fixes two vulnerabilities is now available. Category: security (low) Bug References: 903962,933588 CVE References: CVE-2015-5522,CVE-2015-5523 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): tidy-1.0.20100204cvs-25.3
released