Bug 4759

Summary: libxslt new security issue CVE-2011-3970
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, fundawang, mageia, pterjan, sysadmin-bugs, tmb
Version: 1Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3970
Whiteboard:
Source RPM: libxslt-1.1.26-5.mga1.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 4839    

Description David Walser 2012-03-01 13:07:33 CET 
Mandriva has issued an advisory for this today (March 1):
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:028

Cauldron is likely affected as well.
Manuel Hiebel 2012-03-01 23:58:45 CET

CC: (none) => fundawang, mageia, pterjan

Comment 1 David Walser 2012-03-04 03:14:18 CET 
Looks like Funda Wang took care of Cauldron.
Comment 2 David Walser 2012-03-04 18:28:11 CET 
Patched packages uploaded.

Advisory:
========================

Updated libxslt packages fix security vulnerability:

libxslt allows remote attackers to cause a denial of service
(out-of-bounds read) via unspecified vectors (CVE-2011-3970).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3970
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:028
========================

Updated packages in core/updates_testing:
========================
libxslt1-1.1.26-5.1.mga1
libxslt-devel-1.1.26-5.1.mga1
python-libxslt-1.1.26-5.1.mga1
xsltproc-1.1.26-5.1.mga1

from libxslt-1.1.26-5.1.mga1.src.rpm

Assignee: bugsquad => qa-bugs

Dave Hodgins 2012-03-16 01:20:21 CET

Blocks: (none) => 4839

Comment 3 Dave Hodgins 2012-03-16 01:33:41 CET 
As per the reference, the denial of service POC has not
been disclosed, so just testing that chromium-browser
still works with xhtml pages.

Testing complete on i586 for the srpm
libxslt-1.1.26-5.1.mga1.src.rpm

CC: (none) => davidwhodgins

Comment 4 claire robinson 2012-03-23 12:54:02 CET 
Tested x86_64 with chromium-browser and tests from http://tantek.com/XHTML/Test/

Tested xsltproc by following here: http://www.w3schools.com/xsl/xsl_transformation.asp

created cdcatalog.xml and cdcatalog.xsl then used

$ xsltproc cdcatalog.xsl cdcatalog.xml

<html><body>
<h2>My CD Collection</h2>
<table border="1">
<tr bgcolor="#9acd32">
<th>Title</th>
<th>Artist</th>
</tr>
<tr>
<td>Empire Burlesque</td>
<td>Bob Dylan</td>
</tr>
</table>
</body></html>

For python-xslt used the script from http://lab.usgin.org/groups/etl-debug-blog/xslt-transformations-python-through-gnome-libxml-c-parser

Modified the variables to use the cdcatalog.xsl and cdcatalog.xml and output.xml

$ python libxml_xslt_transform_example.py

Generates the same html above in stdout and saves it to the output.xml file.

I'll create a page on the wiki for this for next time.
Comment 5 claire robinson 2012-03-23 12:55:29 CET 
Validating

Advisory and SRPM in comment 2

Could sysadmin please push from core/updates_testing to core/updates

Thankyou!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Thomas Backlund 2012-03-24 15:48:13 CET 
Update pushed

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED