Bug 16114

Summary: tidy new heap-based buffer overflow security issue fixed upstream (CVE-2015-552[23])
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, shlomif, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/648039/
Whiteboard: MGA4-64-OK MGA4-32-OK advisory
Source RPM: tidy-20090904-6.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-06-13 20:17:17 CEST 
OpenSuSE has issued an advisory on June 11:
http://lists.opensuse.org/opensuse-updates/2015-06/msg00024.html

Patch checked into Mageia 4 and Cauldron SVN.  Freeze push requested.

Reproducible: 

Steps to Reproduce:
David Walser 2015-06-13 20:17:24 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-06-13 21:44:10 CEST 
Patched packages uploaded for Mageia 4 and Cauldron.

Note to QA: this package is used by php-tidy, which you can test with the PHP update.

Advisory:
========================

Updated tidy packages fix security vulnerability:

A heap-based buffer overflow in tidy could have unspecified impact when
processing user-supplied input.

References:
http://lists.opensuse.org/opensuse-updates/2015-06/msg00024.html
========================

Updated packages in core/updates_testing:
========================
tidy-20090904-6.1.mga4
libtidy0.99_0-20090904-6.1.mga4
libtidy-devel-20090904-6.1.mga4

from tidy-20090904-6.1.mga4.src.rpm

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 2 David Walser 2015-06-14 18:58:40 CEST 
It is also used by the Web Page Validator plugin in Konqueror, documented here:
https://docs.kde.org/stable4/en/applications/konqueror/konq-plugin.html
Comment 3 David Walser 2015-06-17 13:33:12 CEST 
CVE request:
http://openwall.com/lists/oss-security/2015/06/04/2
Comment 4 Shlomi Fish 2015-07-01 14:02:33 CEST 
I'm going to test this bug on MGA4-x86-64. Stay tuned.

CC: (none) => shlomif

Comment 5 Shlomi Fish 2015-07-01 14:09:53 CEST 
The PoC (= Proof-of-Concept) in the CVE Request link from comment #3 gives me an "Out of memory" exception before the update and is handled fine after the update from updates_testing. Adding MGA4-64-OK.

Whiteboard: (none) => MGA4-64-OK

Comment 6 Shlomi Fish 2015-07-01 14:44:15 CEST 
Gonna test on MGA4-i586. Stay tuned.
Comment 7 Shlomi Fish 2015-07-01 14:53:47 CEST 
MGA4-32-OKing this. Same results as MGA4-x86-64.

Whiteboard: MGA4-64-OK => MGA4-64-OK MGA4-32-OK

Comment 8 Dave Hodgins 2015-07-01 23:21:36 CEST 
Advisory committed to svn.

Someone from the sysadmin team please push 16114 to updates for Mageia 4.

Keywords: (none) => validated_update
Whiteboard: MGA4-64-OK MGA4-32-OK => MGA4-64-OK MGA4-32-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 9 Mageia Robot 2015-07-05 19:23:19 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0257.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 10 David Walser 2015-07-15 20:09:20 CEST 
CVE-2015-5522 and CVE-2015-5523 assigned:
http://www.openwall.com/lists/oss-security/2015/07/15/3

Summary: tidy new heap-based buffer overflow security issue fixed upstream => tidy new heap-based buffer overflow security issue fixed upstream (CVE-2015-552[23])

Comment 11 David Walser 2015-07-20 20:52:43 CEST 
LWN reference with the CVEs; I've asked them to merge them:
http://lwn.net/Vulnerabilities/651765/