[Bug 1281930] New: libxml2: Out-of-bounds heap read on 0xff char in xml declaration
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1281930
Bug ID: 1281930
Summary: libxml2: Out-of-bounds heap read on 0xff char in xml
declaration
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: low
Priority: low
Assignee: security-response-team(a)redhat.com
Reporter: amaris(a)redhat.com
CC: athmanem(a)gmail.com, c.david86(a)gmail.com,
erik-fedora(a)vanpienbroek.nl,
fedora-mingw(a)lists.fedoraproject.org,
ktietz(a)redhat.com, lfarkas(a)lfarkas.org,
ohudlick(a)redhat.com, rjones(a)redhat.com,
veillard(a)redhat.com
An out-of-bounds heap read in xmlParseXMLDecl happens when a file containing
unfinished xml declaration, e.g. <?xml versionencoding="ISO88598", is followed
by 0xff byte.
Upstream bug:
https://bugzilla.gnome.org/show_bug.cgi?id=751631
Upstream patch:
https://git.gnome.org/browse/libxml2/commit/?id=709a952110e98621c9b78c4f2...
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=RtnuYLKA2T&a=cc_unsubscribe
7 years, 6 months
[Bug 1276297] New: CVE-2015-7942 libxml2: heap-based buffer overflow in xmlParseConditionalSections()
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1276297
Bug ID: 1276297
Summary: CVE-2015-7942 libxml2: heap-based buffer overflow in
xmlParseConditionalSections()
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: mprpic(a)redhat.com
CC: athmanem(a)gmail.com, c.david86(a)gmail.com,
drizt(a)land.ru, erik-fedora(a)vanpienbroek.nl,
fedora-mingw(a)lists.fedoraproject.org,
ktietz(a)redhat.com, lfarkas(a)lfarkas.org,
ohudlick(a)redhat.com, rjones(a)redhat.com,
veillard(a)redhat.com
A heap-based buffer overflow flaw was found in the way libxml2 parsed certain
crafted XML input. A remote attacker could provide a specially-crafted XML file
that, when opened in an application linked against libxml2, would cause the
application to crash.
Upstream patch:
https://git.gnome.org/browse/libxml2/commit/?id=9b8512337d14c8ddf662fcb98...
Upstream bug:
https://bugzilla.gnome.org/show_bug.cgi?id=756456
CVE assignment:
http://seclists.org/oss-sec/2015/q4/130
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=JWm7G50nVi&a=cc_unsubscribe
7 years, 6 months
[Bug 1274222] New: libxml2: Out-of-bounds memory access
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1274222
Bug ID: 1274222
Summary: libxml2: Out-of-bounds memory access
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: low
Priority: low
Assignee: security-response-team(a)redhat.com
Reporter: amaris(a)redhat.com
CC: athmanem(a)gmail.com, c.david86(a)gmail.com,
drizt(a)land.ru, erik-fedora(a)vanpienbroek.nl,
fedora-mingw(a)lists.fedoraproject.org,
ktietz(a)redhat.com, lfarkas(a)lfarkas.org,
ohudlick(a)redhat.com, rjones(a)redhat.com,
veillard(a)redhat.com, weli(a)redhat.com
An out-of-bounds read vulnerability was found in libxml2 with crafted xml
input.
Report can be found here:
https://bugzilla.gnome.org/show_bug.cgi?id=744980#c1
Upstream patches:
https://git.gnome.org/browse/libxml2/commit/?id=a7dfab7411cbf545f359dd315...
https://git.gnome.org/browse/libxml2/commit/?id=9b8512337d14c8ddf662fcb98...
CVE request:
http://seclists.org/oss-sec/2015/q4/127
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=DBMrfilEPi&a=cc_unsubscribe
7 years, 6 months
[Bug 1213957] New: libxml2: out-of-bounds memory access when parsing an unclosed HTML comment
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1213957
Bug ID: 1213957
Summary: libxml2: out-of-bounds memory access when parsing an
unclosed HTML comment
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: vkaigoro(a)redhat.com
CC: athmanem(a)gmail.com, c.david86(a)gmail.com,
drizt(a)land.ru, erik-fedora(a)vanpienbroek.nl,
fedora-mingw(a)lists.fedoraproject.org,
ktietz(a)redhat.com, lfarkas(a)lfarkas.org,
ohudlick(a)redhat.com, rjones(a)redhat.com,
veillard(a)redhat.com
Following issue was reported in libxml2
(http://seclists.org/oss-sec/2015/q2/214):
"""
This is an out-of-bounds memory access in libxml2. By entering a unclosed
html comment such as <!-- the libxml2 parser didn't stop parsing at the end
of the buffer, causing random memory to be included in the parsed comment
that was returned to ruby. In Shopify, this caused ruby objects from
previous http requests to be disclosed in the rendered page.
Link to the issue in libxml2's bugtracker:
https://bugzilla.gnome.org/show_bug.cgi?id=746048
A patched version of nokogiri (which uses a embedded libxml2) is available
here:
https://github.com/Shopify/nokogiri/compare/1b1fcad8bd64ab70256666c38d2c9...
This bug is still not patched upstream, but both libxml2 and nokogiri
developers are aware of the issue.
"""
No upstream patches exist at the time of creating this Bugzilla.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=zRmasjF3dU&a=cc_unsubscribe
7 years, 6 months
[Bug 1306047] New: [Patch] Use posix threads, fix static library
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1306047
Bug ID: 1306047
Summary: [Patch] Use posix threads, fix static library
Product: Fedora
Version: rawhide
Component: mingw-glib2
Assignee: erik-fedora(a)vanpienbroek.nl
Reporter: manisandro(a)gmail.com
QA Contact: extras-qa(a)fedoraproject.org
CC: erik-fedora(a)vanpienbroek.nl,
fedora-mingw(a)lists.fedoraproject.org,
fidencio(a)redhat.com, klember(a)redhat.com,
marcandre.lureau(a)redhat.com, rjones(a)redhat.com,
t.sailer(a)alumni.ethz.ch
Created attachment 1122556
--> https://bugzilla.redhat.com/attachment.cgi?id=1122556&action=edit
Patch
The attached patch
- Sets the threading implementation to posix. Win32 threads seem broken
(regardless of whether used with static or dynamically linked glib)
- Improves glib-prefer-constructors-over-DllMain.patch to always prefer
constructors over DllMain, also handling a second case of DllMain
- Adds a missing BR for mingw-pcre
--
You are receiving this mail because:
You are on the CC list for the bug.
7 years, 6 months
[Bug 1311503] New: pcre: workspace overflow for (*ACCEPT) with
deeply nested parentheses (8.39/13, 10.22/12)
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1311503
Bug ID: 1311503
Summary: pcre: workspace overflow for (*ACCEPT) with deeply
nested parentheses (8.39/13, 10.22/12)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: thoger(a)redhat.com
CC: adam.stokes(a)gmail.com, andrew(a)beekhof.net,
csutherl(a)redhat.com, databases-maint(a)redhat.com,
dknox(a)redhat.com, erik-fedora(a)vanpienbroek.nl,
fedora-mingw(a)lists.fedoraproject.org,
fidencio(a)redhat.com, jclere(a)redhat.com,
jdornak(a)redhat.com, jdoyle(a)redhat.com,
jgrulich(a)redhat.com, jorton(a)redhat.com,
klember(a)redhat.com, lgao(a)redhat.com, lkundrak(a)v3.sk,
marcandre.lureau(a)redhat.com, mbabacek(a)redhat.com,
mclasen(a)redhat.com, mmaslano(a)redhat.com,
myarboro(a)redhat.com, pmyers(a)valanet.net,
ppisar(a)redhat.com, pslavice(a)redhat.com,
rcollet(a)redhat.com, rjones(a)redhat.com,
rmeggins(a)redhat.com, rsvoboda(a)redhat.com,
t.sailer(a)alumni.ethz.ch, twalsh(a)redhat.com,
walters(a)redhat.com, webstack-team(a)redhat.com,
weli(a)redhat.com
ZDI reported a stack-based buffer overflow in pcre and pcre2. ZDI-CAN-3542 id
is used to identify the issue.
https://bugs.exim.org/show_bug.cgi?id=1791
PCRE does not validate that handling the (*ACCEPT) verb will occur within
the bounds of the cworkspace stack buffer, leading to a stack buffer
overflow.
Fixed upstream in pcre and pcre2 via the following commits:
http://vcs.pcre.org/pcre?view=revision&revision=1631
http://vcs.pcre.org/pcre2?view=revision&revision=489
Issue is triggered by the following pattern:
/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
PCRE 8.00 seems to be the first affected version.
--
You are receiving this mail because:
You are on the CC list for the bug.
7 years, 6 months