[Bug 1213957] New: libxml2: out-of-bounds memory access when parsing an unclosed HTML comment

[bugzilla at redhat.com]

https://bugzilla.redhat.com/show_bug.cgi?id=1213957

            Bug ID: 1213957
           Summary: libxml2: out-of-bounds memory access when parsing an
                    unclosed HTML comment
           Product: Security Response
         Component: vulnerability
          Keywords: Security
          Severity: medium
          Priority: medium
          Assignee: security-response-team at redhat.com
          Reporter: vkaigoro at redhat.com
                CC: athmanem at gmail.com, c.david86 at gmail.com,
                    drizt at land.ru, erik-fedora at vanpienbroek.nl,
                    fedora-mingw at lists.fedoraproject.org,
                    ktietz at redhat.com, lfarkas at lfarkas.org,
                    ohudlick at redhat.com, rjones at redhat.com,
                    veillard at redhat.com



Following issue was reported in libxml2
(http://seclists.org/oss-sec/2015/q2/214):

"""
This is an out-of-bounds memory access in libxml2. By entering a unclosed
html comment such as <!-- the libxml2 parser didn't stop parsing at the end
of the buffer, causing random memory to be included in the parsed comment
that was returned to ruby. In Shopify, this caused ruby objects from
previous http requests to be disclosed in the rendered page.

Link to the issue in libxml2's bugtracker:
https://bugzilla.gnome.org/show_bug.cgi?id=746048

A patched version of nokogiri (which uses a embedded libxml2) is available
here:
https://github.com/Shopify/nokogiri/compare/1b1fcad8bd64ab70256666c38d2c998e86ade8c0...master

This bug is still not patched upstream, but both libxml2 and nokogiri
developers are aware of the issue.
"""

No upstream patches exist at the time of creating this Bugzilla.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=zRmasjF3dU&a=cc_unsubscribe