https://bugzilla.redhat.com/show_bug.cgi?id=1213957
Bug ID: 1213957
Summary: libxml2: out-of-bounds memory access when parsing an
unclosed HTML comment
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: vkaigoro(a)redhat.com
CC: athmanem(a)gmail.com, c.david86(a)gmail.com,
drizt(a)land.ru, erik-fedora(a)vanpienbroek.nl,
fedora-mingw(a)lists.fedoraproject.org,
ktietz(a)redhat.com, lfarkas(a)lfarkas.org,
ohudlick(a)redhat.com, rjones(a)redhat.com,
veillard(a)redhat.com
Following issue was reported in libxml2
(
http://seclists.org/oss-sec/2015/q2/214):
"""
This is an out-of-bounds memory access in libxml2. By entering a unclosed
html comment such as <!-- the libxml2 parser didn't stop parsing at the end
of the buffer, causing random memory to be included in the parsed comment
that was returned to ruby. In Shopify, this caused ruby objects from
previous http requests to be disclosed in the rendered page.
Link to the issue in libxml2's bugtracker:
https://bugzilla.gnome.org/show_bug.cgi?id=746048
A patched version of nokogiri (which uses a embedded libxml2) is available
here:
https://github.com/Shopify/nokogiri/compare/1b1fcad8bd64ab70256666c38d2c9...
This bug is still not patched upstream, but both libxml2 and nokogiri
developers are aware of the issue.
"""
No upstream patches exist at the time of creating this Bugzilla.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=zRmasjF3dU&a=cc_unsubscribe