16114 – tidy new heap-based buffer overflow security issue fixed upstream (CVE-2015-552[23])

Bug 16114 - tidy new heap-based buffer overflow security issue fixed upstream (CVE-2015-552[23])

Summary: tidy new heap-based buffer overflow security issue fixed upstream (CVE-2015-5...

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	4
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/648039/
Whiteboard:	MGA4-64-OK MGA4-32-OK advisory
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2015-06-13 20:17 CEST by David Walser
Modified:	2015-07-20 20:52 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:	tidy-20090904-6.mga4.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-06-13 20:17:17 CEST

OpenSuSE has issued an advisory on June 11:
http://lists.opensuse.org/opensuse-updates/2015-06/msg00024.html

Patch checked into Mageia 4 and Cauldron SVN.  Freeze push requested.

Reproducible: 

Steps to Reproduce:

David Walser 2015-06-13 20:17:24 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-06-13 21:44:10 CEST

Patched packages uploaded for Mageia 4 and Cauldron.

Note to QA: this package is used by php-tidy, which you can test with the PHP update.

Advisory:
========================

Updated tidy packages fix security vulnerability:

A heap-based buffer overflow in tidy could have unspecified impact when
processing user-supplied input.

References:
http://lists.opensuse.org/opensuse-updates/2015-06/msg00024.html
========================

Updated packages in core/updates_testing:
========================
tidy-20090904-6.1.mga4
libtidy0.99_0-20090904-6.1.mga4
libtidy-devel-20090904-6.1.mga4

from tidy-20090904-6.1.mga4.src.rpm

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 2 David Walser 2015-06-14 18:58:40 CEST

It is also used by the Web Page Validator plugin in Konqueror, documented here:
https://docs.kde.org/stable4/en/applications/konqueror/konq-plugin.html

Comment 3 David Walser 2015-06-17 13:33:12 CEST

CVE request:
http://openwall.com/lists/oss-security/2015/06/04/2

Comment 4 Shlomi Fish 2015-07-01 14:02:33 CEST

I'm going to test this bug on MGA4-x86-64. Stay tuned.

CC: (none) => shlomif

Comment 5 Shlomi Fish 2015-07-01 14:09:53 CEST

The PoC (= Proof-of-Concept) in the CVE Request link from comment #3 gives me an "Out of memory" exception before the update and is handled fine after the update from updates_testing. Adding MGA4-64-OK.

Whiteboard: (none) => MGA4-64-OK

Comment 6 Shlomi Fish 2015-07-01 14:44:15 CEST

Gonna test on MGA4-i586. Stay tuned.

Comment 7 Shlomi Fish 2015-07-01 14:53:47 CEST

MGA4-32-OKing this. Same results as MGA4-x86-64.

Whiteboard: MGA4-64-OK => MGA4-64-OK MGA4-32-OK

Comment 8 Dave Hodgins 2015-07-01 23:21:36 CEST

Advisory committed to svn.

Someone from the sysadmin team please push 16114 to updates for Mageia 4.

Keywords: (none) => validated_update
Whiteboard: MGA4-64-OK MGA4-32-OK => MGA4-64-OK MGA4-32-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 9 Mageia Robot 2015-07-05 19:23:19 CEST

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0257.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 10 David Walser 2015-07-15 20:09:20 CEST

CVE-2015-5522 and CVE-2015-5523 assigned:
http://www.openwall.com/lists/oss-security/2015/07/15/3

Summary: tidy new heap-based buffer overflow security issue fixed upstream => tidy new heap-based buffer overflow security issue fixed upstream (CVE-2015-552[23])

Comment 11 David Walser 2015-07-20 20:52:43 CEST

LWN reference with the CVEs; I've asked them to merge them:
http://lwn.net/Vulnerabilities/651765/

Note You need to log in before you can comment on or make changes to this bug.