[jira] [Commented] (XERCESC-2061) Buffer overruns in prolog parsing and error handling

Wed, 01 Feb 2017 05:52:38 -0800 

    [ 
https://issues.apache.org/jira/browse/XERCESC-2061?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15848390#comment-15848390
 ] 

Moti commented on XERCESC-2061:
-------------------------------

Hi Scott,
I have looked extensively at this code change.
I have a few questions that are very important to us in order to take a wise 
decision in using Xerces:

1.      Can you elaborate on why this issue was categorized as having potential 
remote code execution possibility compared to other Xerces issues that were 
classified for DOS only?
2.      For the XMLReader fix I have not managed to create an actual overflow 
which causes crashing using UTF-8 encoding, can you tell me if specifically for 
the UTF-8 encoding, the added code there was added as a precaution measurement 
or did you manage to cause this code to crash/overflow?
3.      Say that we don’t allow sending complete xml but rather we take input 
that affect certain elements of our xml, does the risk reduce or does the 
vulnerability still exist? 
4.      I managed to understand the changes in XMLReader.cpp but can you 
perhaps elaborate on the fixes that were done in the other two sources , do you 
perhaps have any test XMLs that I can use against the new versus the old 
version to see the difference in behaviors (samples you used for testing etc.)
5.      Do you know of/ have access to any exploits regarding this issue that 
we can use to verify our product is vulnerable? 

Many thanks for your help!

> Buffer overruns in prolog parsing and error handling
> ----------------------------------------------------
>
>                 Key: XERCESC-2061
>                 URL: https://issues.apache.org/jira/browse/XERCESC-2061
>             Project: Xerces-C++
>          Issue Type: Bug
>          Components: Non-Validating Parser, Validating Parser (DTD), 
> Validating Parser (XML Schema)
>    Affects Versions: 3.1.2
>            Reporter: Scott Cantor
>            Priority: Blocker
>             Fix For: 3.2.0, 3.1.3
>
>
> Vulnerabilities were reported to the project that led to the discovery of 
> several buffer overflows.
> The issue was publically disclosed as CVE-2016-0729



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org
For additional commands, e-mail: c-dev-h...@xerces.apache.org

Reply via email to