Discussion:
REJECT request filed for CVE-2018-11210 against tinyxml2
(too old to reply)
Florian Weimer
2018-11-19 16:02:42 UTC
Permalink
I filed a REJECT request for MITRE for this CVE identifier, with this
rationale:

This is not a vulnerability. The fuzzer did not check that the
precondition is satisfied. If XMLDocument::Parse is called in the
one-argument-form (or with a (size_t)-1 argument), then it uses strlen
on the input string, which must be null-terminated. This is clearly
spelled out in the API documentation.

<https://github.com/leethomason/tinyxml2/blob/8f4a9a8cc2a93709b97d0cf51d33ddd1ec33277d/tinyxml2.h#L1677>

This is just a courtesy notice in case you want to update your records
before MITRE processes the rejection request (or rejects it altogether).

Thanks,
Florian

Loading...