Bug 16114 - tidy new heap-based buffer overflow security issue fixed upstream (CVE-2015-552[23])
Summary: tidy new heap-based buffer overflow security issue fixed upstream (CVE-2015-5...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/648039/
Whiteboard: MGA4-64-OK MGA4-32-OK advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-06-13 20:17 CEST by David Walser
Modified: 2015-07-20 20:52 CEST (History)
3 users (show)

See Also:
Source RPM: tidy-20090904-6.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-06-13 20:17:17 CEST
OpenSuSE has issued an advisory on June 11:
http://lists.opensuse.org/opensuse-updates/2015-06/msg00024.html

Patch checked into Mageia 4 and Cauldron SVN.  Freeze push requested.

Reproducible: 

Steps to Reproduce:
David Walser 2015-06-13 20:17:24 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-06-13 21:44:10 CEST
Patched packages uploaded for Mageia 4 and Cauldron.

Note to QA: this package is used by php-tidy, which you can test with the PHP update.

Advisory:
========================

Updated tidy packages fix security vulnerability:

A heap-based buffer overflow in tidy could have unspecified impact when
processing user-supplied input.

References:
http://lists.opensuse.org/opensuse-updates/2015-06/msg00024.html
========================

Updated packages in core/updates_testing:
========================
tidy-20090904-6.1.mga4
libtidy0.99_0-20090904-6.1.mga4
libtidy-devel-20090904-6.1.mga4

from tidy-20090904-6.1.mga4.src.rpm

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 2 David Walser 2015-06-14 18:58:40 CEST
It is also used by the Web Page Validator plugin in Konqueror, documented here:
https://docs.kde.org/stable4/en/applications/konqueror/konq-plugin.html
Comment 3 David Walser 2015-06-17 13:33:12 CEST
CVE request:
http://openwall.com/lists/oss-security/2015/06/04/2
Comment 4 Shlomi Fish 2015-07-01 14:02:33 CEST
I'm going to test this bug on MGA4-x86-64. Stay tuned.

CC: (none) => shlomif

Comment 5 Shlomi Fish 2015-07-01 14:09:53 CEST
The PoC (= Proof-of-Concept) in the CVE Request link from comment #3 gives me an "Out of memory" exception before the update and is handled fine after the update from updates_testing. Adding MGA4-64-OK.

Whiteboard: (none) => MGA4-64-OK

Comment 6 Shlomi Fish 2015-07-01 14:44:15 CEST
Gonna test on MGA4-i586. Stay tuned.
Comment 7 Shlomi Fish 2015-07-01 14:53:47 CEST
MGA4-32-OKing this. Same results as MGA4-x86-64.

Whiteboard: MGA4-64-OK => MGA4-64-OK MGA4-32-OK

Comment 8 Dave Hodgins 2015-07-01 23:21:36 CEST
Advisory committed to svn.

Someone from the sysadmin team please push 16114 to updates for Mageia 4.

Keywords: (none) => validated_update
Whiteboard: MGA4-64-OK MGA4-32-OK => MGA4-64-OK MGA4-32-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 9 Mageia Robot 2015-07-05 19:23:19 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0257.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 10 David Walser 2015-07-15 20:09:20 CEST
CVE-2015-5522 and CVE-2015-5523 assigned:
http://www.openwall.com/lists/oss-security/2015/07/15/3

Summary: tidy new heap-based buffer overflow security issue fixed upstream => tidy new heap-based buffer overflow security issue fixed upstream (CVE-2015-552[23])

Comment 11 David Walser 2015-07-20 20:52:43 CEST
LWN reference with the CVEs; I've asked them to merge them:
http://lwn.net/Vulnerabilities/651765/

Note You need to log in before you can comment on or make changes to this bug.