You are viewing a plain text version of this content. The canonical link for it is here.

Posted to c-dev@xerces.apache.org by "Moti (JIRA)" <xe...@xml.apache.org> on 2017/02/01 13:51:51 UTC

[jira] [Commented] (XERCESC-2061) Buffer overruns in prolog parsing and error handling

    [ https://issues.apache.org/jira/browse/XERCESC-2061?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15848390#comment-15848390 ] 

Moti commented on XERCESC-2061:
-------------------------------

Hi Scott,
I have looked extensively at this code change.
I have a few questions that are very important to us in order to take a wise decision in using Xerces:

1.	Can you elaborate on why this issue was categorized as having potential remote code execution possibility compared to other Xerces issues that were classified for DOS only?
2.	For the XMLReader fix I have not managed to create an actual overflow which causes crashing using UTF-8 encoding, can you tell me if specifically for the UTF-8 encoding, the added code there was added as a precaution measurement or did you manage to cause this code to crash/overflow?
3.	Say that we don’t allow sending complete xml but rather we take input that affect certain elements of our xml, does the risk reduce or does the vulnerability still exist? 
4.	I managed to understand the changes in XMLReader.cpp but can you perhaps elaborate on the fixes that were done in the other two sources , do you perhaps have any test XMLs that I can use against the new versus the old version to see the difference in behaviors (samples you used for testing etc.)
5.	Do you know of/ have access to any exploits regarding this issue that we can use to verify our product is vulnerable? 

Many thanks for your help!

> Buffer overruns in prolog parsing and error handling
> ----------------------------------------------------
>
>                 Key: XERCESC-2061
>                 URL: https://issues.apache.org/jira/browse/XERCESC-2061
>             Project: Xerces-C++
>          Issue Type: Bug
>          Components: Non-Validating Parser, Validating Parser (DTD), Validating Parser (XML Schema)
>    Affects Versions: 3.1.2
>            Reporter: Scott Cantor
>            Priority: Blocker
>             Fix For: 3.2.0, 3.1.3
>
>
> Vulnerabilities were reported to the project that led to the discovery of several buffer overflows.
> The issue was publically disclosed as CVE-2016-0729



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org