Re: libxml2 issue: out-of-bounds memory access when parsing an unclosed HTML comment

[Michal Zalewski <lcamtuf () coredump cx>]

Uh, so I guess we could also mention this one:

https://bugzilla.gnome.org/show_bug.cgi?id=744980

I wasn't sure it would ever cause anything serious / interesting,
though. Perhaps for some exotic uses?

/mz


On Sun, Apr 19, 2015 at 10:11 AM, Reed Loden <reed () reedloden com> wrote:
> (saw this randomly today on Twitter, so figured I'd send it on to make sure
> it gets a CVE and actually gets fixed)
>
> https://hackerone.com/reports/57125#activity-384861
>
> """
> This is an out-of-bounds memory access in libxml2. By entering a unclosed
> html comment such as <!-- the libxml2 parser didn't stop parsing at the end
> of the buffer, causing random memory to be included in the parsed comment
> that was returned to ruby. In Shopify, this caused ruby objects from
> previous http requests to be disclosed in the rendered page.
>
> Link to the issue in libxml2's bugtracker:
> https://bugzilla.gnome.org/show_bug.cgi?id=746048
>
> A patched version of nokogiri (which uses a embedded libxml2) is available
> here:
> https://github.com/Shopify/nokogiri/compare/1b1fcad8bd64ab70256666c38d2c998e86ade8c0...master
>
> This bug is still not patched upstream, but both libxml2 and nokogiri
> developers are aware of the issue.
> """
>
> ~reed