Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 671452 - app-text/htmltidy: Multiple DoS vulnerabilities (CVE-2015-{5522,5523})
Summary: app-text/htmltidy: Multiple DoS vulnerabilities (CVE-2015-{5522,5523})
Status: RESOLVED DUPLICATE of bug 561452
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/php/php-src/pull/1940
Whiteboard: B3 [glsa? blocked]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-11-18 16:02 UTC by Pacho Ramos
Modified: 2021-06-04 19:28 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Pacho Ramos gentoo-dev 2018-11-18 16:02:21 UTC 
Per https://github.com/php/php-src/pull/1940 htmltidy is affected by CVE-2015-5522 and CVE-2015-5523
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-08-24 03:30:44 UTC 
CVE-2020-5522:

Heap-based buffer overflow in the ParseValue function in lexer.c in tidy before 4.9.31 allows remote attackers to cause a denial of service (crash) via vectors involving a command character in an href.

CVE-2020-5523:

The ParseValue function in lexer.c in tidy before 4.9.31 allows remote attackers to cause a denial of service (crash) via vectors involving multiple whitespace characters before an empty href, which triggers a large memory allocation.
Comment 2 SpanKY gentoo-dev 2021-06-04 19:28:33 UTC 
seems like it was already fixed years before this bug was filed

*** This bug has been marked as a duplicate of bug 561452 ***