Debian Security Advisory

DLA-273-1 tidy -- LTS security update

Date Reported:
18 Jul 2015
Affected Packages:
tidy
Vulnerable:
Yes
Security database references:
In the Debian bugtracking system: Bug 792571.
In Mitre's CVE dictionary: CVE-2015-5522, CVE-2015-5523.
More information:

Fernando Muñoz discovered a security issue on the HTML syntax checker and reformatter tidy. Tidy did not properly process specific character sequences, and a remote attacker could exploit this flaw to cause a DoS, or probably, execute arbitrary code. Two different CVEs were assigned to this issue.

  • CVE-2015-5522

    Malformed html documents could lead to a heap-buffer-overflow.

  • CVE-2015-5523

    Malformed html documents could lead to allocate 4Gb of memory.

For the Squeeze distribution, this issue has been fixed in the 20091223cvs-1+deb6u1 version of tidy.

We recommend that you upgrade your tidy packages.