Bug#1014391: scilab: CVE-2022-30045 incorrect memory handling in ezml support leading to a heap out-of-bounds read

Neil Williams codehelp at debian.org
Fri Aug 5 10:43:59 BST 2022


On Mon, 1 Aug 2022 18:25:04 +0200 Sylvestre Ledru <sylvestre at mozilla.com> wrote:
> Hello,
> 
> Le 05/07/2022 à 11:19, Neil Williams a écrit :
> > Source: scilab
> > Version: 6.1.1+dfsg2-3
> > Severity: important
> > Tags: security
> > X-Debbugs-Cc: codehelp at debian.org, Debian Security Team <team at security.debian.org>
> > 
> > Hi,
> > 
> > The following vulnerability was published for scilab.
> > 
> > CVE-2022-30045[0]:
> > | An issue was discovered in libezxml.a in ezXML 0.8.6. The function
> > | ezxml_decode() performs incorrect memory handling while parsing
> > | crafted XML files, leading to a heap out-of-bounds read.
> > 
> > 
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> > 
> > For further information see:
> > 
> > [0] https://security-tracker.debian.org/tracker/CVE-2022-30045
> >      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30045
> > 
> > Please adjust the affected versions in the BTS as needed.
> > 
> 
> 
> While Scilab indeed ships ezxml.c, I am not sure how this can be exploited.
> 
> The code is probably only used to load scicos/xcos schema.
> https://github.com/scilab/scilab/blob/b0937f19e4b8ddf416ca9a9a433bcbbd3f4ef2c0/scilab/modules/scicos/src/c/ezxml.c
> 

Am I right in thinking that XCOS Schema can be provided by third-parties/users?
( https://github.com/scilab/scilab/blob/master/scilab/contrib/xcos_toolbox_skeleton/help/en_US/available_blocks.xml )

What would the effect be of a crash during parsing a corrupt XCOS Schema loaded via a help file, for example?



-- 
Neil Williams
=============
https://linux.codehelp.co.uk/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/debian-science-maintainers/attachments/20220805/62b9e6a0/attachment.sig>


More information about the debian-science-maintainers mailing list