Debian Security Advisory
DLA-273-1 tidy -- LTS security update
- Date Reported:
- 18 Jul 2015
- Affected Packages:
- tidy
- Vulnerable:
- Yes
- Security database references:
- In the Debian bugtracking system: Bug 792571.
In Mitre's CVE dictionary: CVE-2015-5522, CVE-2015-5523. - More information:
-
Fernando Muñoz discovered a security issue on the HTML syntax checker and reformatter tidy. Tidy did not properly process specific character sequences, and a remote attacker could exploit this flaw to cause a DoS, or probably, execute arbitrary code. Two different CVEs were assigned to this issue.
- CVE-2015-5522
Malformed html documents could lead to a heap-buffer-overflow.
- CVE-2015-5523
Malformed html documents could lead to allocate 4Gb of memory.
For the Squeeze distribution, this issue has been fixed in the 20091223cvs-1+deb6u1 version of tidy.
We recommend that you upgrade your tidy packages.
- CVE-2015-5522
