lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <5F068C2EDBA6AA42BC96594345ABE70149E7A475@tri02mailstr03.trianz.int>
Date: Fri, 26 Feb 2016 05:15:54 +0000
From: Shivaprasad Sadashivappa <Shivaprasad.S@...anz.com>
To: "c-users@...ces.apache.org" <c-users@...ces.apache.org>,
  "c-dev@...ces.apache.org" <c-dev@...ces.apache.org>,
  "security@...che.org" <security@...che.org>,
  "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>,
  "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
CC: Gustavo Grieco <gustavo.grieco@...g.fr>
Subject: RE: CVE-2016-0729: Apache Xerces-C XML Parser Crashes on Malformed
 Input

Hi,

Could you please let me know how to reproduce the issue, we are using xerces-c in one our product.

Ahead Together,
Shivaprasad BS




E mail: Official shivaprasad.s@...anz.com 
Mobile: +91 9900633664
www.trianz.com l LinkedIn | Facebook | Twitter space  leave 
Note: This message (including any attachments) contains business proprietary/confidential information intended for a specific individual and purpose, and is protected by law.  If you are not the intended recipient, you should delete this message.  Any disclosure, copying, or distribution of this message, or the taking of any action based on it, without the express permission of the originator, is strictly prohibited.  If you believe that you have received this email in error, please contact the sender immediately and delete the email and all of its attachments.
Trianz Email Privacy and Confidential Policy

-----Original Message-----
From: Cantor, Scott [mailto:cantor.2@....edu] 
Sent: Thursday, February 25, 2016 7:51 PM
To: c-dev@...ces.apache.org; c-users@...ces.apache.org; security@...che.org; oss-security@...ts.openwall.com; bugtraq@...urityfocus.com
Cc: Gustavo Grieco
Subject: CVE-2016-0729: Apache Xerces-C XML Parser Crashes on Malformed Input

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

CVE-2016-0729: Apache Xerces-C XML Parser Crashes on Malformed Input

Severity: Critical

Vendor: The Apache Software Foundation

Versions Affected: Apache Xerces-C XML Parser library versions prior to V3.1.3

Description: The Xerces-C XML parser mishandles certain kinds of malformed input documents, resulting in buffer overlows during processing and error reporting. The overflows can manifest as a segmentation fault or as memory corruption during a parse operation. The bugs allow for a denial of service attack in many applications by an unauthenticated attacker, and could conceivably result in remote code execution.

Mitigation: Applications that are using library versions older than
V3.1.3 should upgrade as soon as possible. Distributors of older versions should apply the patches from this subversion revision:

http://svn.apache.org/viewvc?view=revision&revision=1727978

Credit: This issue was reported by Gustavo Grieco.

References:
http://xerces.apache.org/xerces-c/secadv/CVE-2016-0729.txt

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWzlsyAAoJEDeLhFQCJ3liUAsP/Rr4rBKVPxOw3+5JDiQWT27y
/TT1kLFV+u6LtuBL3q6rwOIANquEMP1nJPVuYtceNF66xHi7eX6HZ8jZch6T+uvZ
Bt+kUTOfG4PW1RLm83W1kof58PTI5mIYBWofAQzXm9TSyvoHF5GXWqzNyGOKauYN
pto5xvJzEN5gM7DjbXF8OoIesNVaqCnr+9A2WmCCdNGNzSQLlUVDg9kDvXUdDvHD
+TXHDfgP8OSEYl5e3B3P5OV6SzUi2xdATR6zQgb1QANJy7FoK/FOP5+2J8ccultu
mXlVHpsGlPoIi85nyKVykK3hTT4DyhqSwCa9ek3D5i7lIEk2dXxeevh90is3y/Al
0GSUoG7yXbfe7xmlcUUghdYeYBP6JSOiOqAREUsKfY6nYo4XpGwvJRz/Xgk7iw9y
p39sCIKuJBpqe1Vgy8ONeTFc0WZkkriq23n2oZ4zxoOImF5k44f01olZhA/wmE1P
Wi6Qrafn6myUtp1TAXWoakfxJo0DgHfH6fazlmYSPHIyfLShrAcG6aETDn92KsDp
gy4a5ulP/qpkncJrF2+XeM1wgQSTpUln2664fSwRw5whqg/PW/qGx+/1sltwOSQe
l4bvQhr9xvkv+W++aPFgmJF3HW0Gnsglty6KQAcQ/RqheZ+/vL9buCqWw2xg4bkN
BQJ4QvN4uaHIUxhzVfiL
=vI5o
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ