[Bug 1213957] New: libxml2: out-of-bounds memory access when parsing an unclosed HTML comment

https://bugzilla.redhat.com/show_bug.cgi?id=1213957 Bug ID: 1213957 Summary: libxml2: out-of-bounds memory access when parsing an unclosed HTML comment Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: vkaigoro(a)redhat.com CC: athmanem(a)gmail.com, c.david86(a)gmail.com, drizt(a)land.ru, erik-fedora(a)vanpienbroek.nl, fedora-mingw(a)lists.fedoraproject.org, ktietz(a)redhat.com, lfarkas(a)lfarkas.org, ohudlick(a)redhat.com, rjones(a)redhat.com, veillard(a)redhat.com Following issue was reported in libxml2 (http://seclists.org/oss-sec/2015/q2/214): """ This is an out-of-bounds memory access in libxml2. By entering a unclosed html comment such as <!-- the libxml2 parser didn't stop parsing at the end of the buffer, causing random memory to be included in the parsed comment that was returned to ruby. In Shopify, this caused ruby objects from previous http requests to be disclosed in the rendered page. Link to the issue in libxml2's bugtracker: https://bugzilla.gnome.org/show_bug.cgi?id=746048 A patched version of nokogiri (which uses a embedded libxml2) is available here: https://github.com/Shopify/nokogiri/compare/1b1fcad8bd64ab70256666c38d2c9... This bug is still not patched upstream, but both libxml2 and nokogiri developers are aware of the issue. """ No upstream patches exist at the time of creating this Bugzilla. -- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=zRmasjF3dU&a=cc_unsubscribe