Google has issued an advisory on May 25: http://googlechromereleases.blogspot.com/2016/05/stable-channel-update_25.html The Chrome update includes two security fixes for libxslt. No details are available yet.
CC: (none) => cjwWhiteboard: (none) => MGA5TOO
CC: (none) => marja11Assignee: bugsquad => shlomif
In chromium, libxslt was updated to a pre-1.1.29 snapshot in a single commit, so I couldn't easily find the updates for the 2 security issues they list. On top of the snapshot, chromium's libxslt has a slightly different version of upstream's later commit https://git.gnome.org/browse/libxslt/commit/?id=69ec3da1b653024aca6515ddd4adc91919dd188e so that should be the fix for "CVE-2016-1683: Out-of-bounds access". Maybe the libxslt package in cauldron should be updated to 1.1.29? It contains the above fix and others... I'm still not sure what is meant with the "Integer overflow" CVE-2016-1684, though.
Yes, I think we should update to the latest upstream snapshot.
Thanks Christiaan for the update in Cauldron. You should split those two libraries with different majors into different subpackages though. Once that's done, we can sync the update to Mageia 5 as well.
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
Both libxslt.so.1 and libexslt.so.0 are already part of libxslt 1.1.28 so I don't see why we would want to split up the library package for mga5.
Version: 5 => Cauldron
Oh, in the diff it looked like the major of one of them changed. Hopefully they won't change and it will be ok.
Version: Cauldron => 5
Since there are no security references for libxslt 1.1.29 other than the one already fixed in MGA5, I'm not sure what to put in a security advisory. There is now some info in the redhat bugzilla issues, however: https://bugzilla.redhat.com/show_bug.cgi?id=1340016 https://bugzilla.redhat.com/show_bug.cgi?id=1340017
Christiaan, As we can see from the RedHat bugs, they link upstream commits which we can definitively see were included in the 1.1.29 release that you updated Cauldron to, so we now know that these issues are fixed in Cauldron, so please leave the version on this bug set to 5. It looks like all we need to do is update Mageia 5 to 1.1.29 as well. As far as the advisory, there indeed isn't much information available about these issues, so it could read generically like: "The libxslt package has been updated to version 1.1.29, which fixes several bugs and possible security issues, including an out-of-bounds memory access (CVE-2016-1683) and integer overflow (CVE-2016-1684)." With references including the Chrome advisory in Comment 0 and the upstream release notes or changelog for libxslt 1.1.29 if there's one available online. Thanks!
Severity: normal => major
[Version change was due to some known problem with bugzilla or browser, I didn't change it.] Packages are ready for testing: MGA5 SRPM: libxslt-1.1.29-1.mga5.src.rpm RPMS: xsltproc-1.1.29-1.mga5.i586.rpm libxslt1-1.1.29-1.mga5.i586.rpm python-libxslt-1.1.29-1.mga5.i586.rpm libxslt-devel-1.1.29-1.mga5.i586.rpm xsltproc-1.1.29-1.mga5.x86_64.rpm lib64xslt1-1.1.29-1.mga5.x86_64.rpm python-libxslt-1.1.29-1.mga5.x86_64.rpm lib64xslt-devel-1.1.29-1.mga5.x86_64.rpm Test procedure: https://wiki.mageia.org/en/QA_procedure:Libxslt Advisory (based on David's text, thanks!): The libxslt package has been updated to version 1.1.29, which fixes several bugs and possible security issues, including an out-of-bounds memory access (CVE-2016-1683) and integer overflow (CVE-2016-1684), and provides other improvements. References: http://xmlsoft.org/XSLT/news.html http://googlechromereleases.blogspot.com/2016/05/stable-channel-update_25.html
Assignee: shlomif => qa-bugs
Tests using the test procedure at the command-line and in Chromium all seem to work fine, Mageia 5 x86_64.
Whiteboard: (none) => MGA5-64-OK
Whiteboard: MGA5-64-OK => has_procedure MGA5-64-OK
On Mageia 5 i586, a simple transformation works both with xsltproc and python-libxslt using the python code from the test procedure. The result is the same as with libxslt 1.1.28-8.1 .
Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0217.html
Status: NEW => RESOLVEDResolution: (none) => FIXED