[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: CVE-2016-0729: Apache Xerces-C XML Parser Crashes on Malformed Input
Could you please let me know how to reproduce the issue, we are using xerces-c in one our product.
E mail: Official shivaprasad.s@xxxxxxxxxx
Mobile: +91 9900633664
www.trianz.com l LinkedIn | Facebook | Twitter space leave
Note: This message (including any attachments) contains business proprietary/confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, without the express permission of the originator, is strictly prohibited. If you believe that you have received this email in error, please contact the sender immediately and delete the email and all of its attachments.
Trianz Email Privacy and Confidential Policy
From: Cantor, Scott [mailto:cantor.2@xxxxxxx]
Sent: Thursday, February 25, 2016 7:51 PM
To: c-dev@xxxxxxxxxxxxxxxxx; c-users@xxxxxxxxxxxxxxxxx; security@xxxxxxxxxx; oss-security@xxxxxxxxxxxxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx
Cc: Gustavo Grieco
Subject: CVE-2016-0729: Apache Xerces-C XML Parser Crashes on Malformed Input
-----BEGIN PGP SIGNED MESSAGE-----
CVE-2016-0729: Apache Xerces-C XML Parser Crashes on Malformed Input
Vendor: The Apache Software Foundation
Versions Affected: Apache Xerces-C XML Parser library versions prior to V3.1.3
Description: The Xerces-C XML parser mishandles certain kinds of malformed input documents, resulting in buffer overlows during processing and error reporting. The overflows can manifest as a segmentation fault or as memory corruption during a parse operation. The bugs allow for a denial of service attack in many applications by an unauthenticated attacker, and could conceivably result in remote code execution.
Mitigation: Applications that are using library versions older than
V3.1.3 should upgrade as soon as possible. Distributors of older versions should apply the patches from this subversion revision:
Credit: This issue was reported by Gustavo Grieco.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----