Bug 18547 - libxslt new security issues CVE-2016-1683 and CVE-2016-1684
Summary: libxslt new security issues CVE-2016-1683 and CVE-2016-1684
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK a...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-05-26 13:48 CEST by David Walser
Modified: 2016-06-07 23:40 CEST (History)
4 users (show)

See Also:
Source RPM: libxslt-1.1.28-11.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2016-05-26 13:48:39 CEST
Google has issued an advisory on May 25:
http://googlechromereleases.blogspot.com/2016/05/stable-channel-update_25.html

The Chrome update includes two security fixes for libxslt.  No details are available yet.
David Walser 2016-05-26 13:48:51 CEST

CC: (none) => cjw
Whiteboard: (none) => MGA5TOO

Marja Van Waes 2016-05-26 19:37:53 CEST

CC: (none) => marja11
Assignee: bugsquad => shlomif

Comment 1 Christiaan Welvaart 2016-05-28 12:27:01 CEST
In chromium, libxslt was updated to a pre-1.1.29 snapshot in a single commit, so I couldn't easily find the updates for the 2 security issues they list.

On top of the snapshot, chromium's libxslt has a slightly different version of upstream's later commit https://git.gnome.org/browse/libxslt/commit/?id=69ec3da1b653024aca6515ddd4adc91919dd188e so that should be the fix for "CVE-2016-1683: Out-of-bounds access".

Maybe the libxslt package in cauldron should be updated to 1.1.29? It contains the above fix and others... I'm still not sure what is meant with the "Integer overflow" CVE-2016-1684, though.
Comment 2 David Walser 2016-05-28 12:38:15 CEST
Yes, I think we should update to the latest upstream snapshot.
Comment 3 David Walser 2016-05-30 17:33:11 CEST
Thanks Christiaan for the update in Cauldron.  You should split those two libraries with different majors into different subpackages though.  Once that's done, we can sync the update to Mageia 5 as well.

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 4 Christiaan Welvaart 2016-05-30 21:21:22 CEST
Both libxslt.so.1 and libexslt.so.0 are already part of libxslt 1.1.28 so I don't  see why we would want to split up the library package for mga5.

Version: 5 => Cauldron

Comment 5 David Walser 2016-05-30 21:52:44 CEST
Oh, in the diff it looked like the major of one of them changed.  Hopefully they won't change and it will be ok.

Version: Cauldron => 5

Comment 6 Christiaan Welvaart 2016-06-05 15:03:09 CEST
Since there are no security references for libxslt 1.1.29 other than the one already fixed in MGA5, I'm not sure what to put in a security advisory. There is now some info in the redhat bugzilla issues, however:
https://bugzilla.redhat.com/show_bug.cgi?id=1340016
https://bugzilla.redhat.com/show_bug.cgi?id=1340017

Version: 5 => Cauldron

Comment 7 David Walser 2016-06-05 15:20:33 CEST
Christiaan,

As we can see from the RedHat bugs, they link upstream commits which we can definitively see were included in the 1.1.29 release that you updated Cauldron to, so we now know that these issues are fixed in Cauldron, so please leave the version on this bug set to 5.

It looks like all we need to do is update Mageia 5 to 1.1.29 as well.  As far as the advisory, there indeed isn't much information available about these issues, so it could read generically like:

"The libxslt package has been updated to version 1.1.29, which fixes several
bugs and possible security issues, including an out-of-bounds memory access
(CVE-2016-1683) and integer overflow (CVE-2016-1684)."

With references including the Chrome advisory in Comment 0 and the upstream release notes or changelog for libxslt 1.1.29 if there's one available online.

Thanks!

Version: Cauldron => 5

David Walser 2016-06-05 15:20:42 CEST

Severity: normal => major

Comment 8 Christiaan Welvaart 2016-06-05 18:46:49 CEST
[Version change was due to some known problem with bugzilla or browser, I didn't change it.]

Packages are ready for testing:

MGA5
SRPM:
libxslt-1.1.29-1.mga5.src.rpm
RPMS:
xsltproc-1.1.29-1.mga5.i586.rpm
libxslt1-1.1.29-1.mga5.i586.rpm
python-libxslt-1.1.29-1.mga5.i586.rpm
libxslt-devel-1.1.29-1.mga5.i586.rpm
xsltproc-1.1.29-1.mga5.x86_64.rpm
lib64xslt1-1.1.29-1.mga5.x86_64.rpm
python-libxslt-1.1.29-1.mga5.x86_64.rpm
lib64xslt-devel-1.1.29-1.mga5.x86_64.rpm

Test procedure: https://wiki.mageia.org/en/QA_procedure:Libxslt


Advisory (based on David's text, thanks!):


The libxslt package has been updated to version 1.1.29, which fixes several
bugs and possible security issues, including an out-of-bounds memory access
(CVE-2016-1683) and integer overflow (CVE-2016-1684), and provides other improvements.

References:
http://xmlsoft.org/XSLT/news.html
http://googlechromereleases.blogspot.com/2016/05/stable-channel-update_25.html

Assignee: shlomif => qa-bugs

Comment 9 David Walser 2016-06-06 16:24:07 CEST
Tests using the test procedure at the command-line and in Chromium all seem to work fine, Mageia 5 x86_64.

Whiteboard: (none) => MGA5-64-OK

David Walser 2016-06-06 16:33:54 CEST

Whiteboard: MGA5-64-OK => has_procedure MGA5-64-OK

Comment 10 Christiaan Welvaart 2016-06-07 22:44:37 CEST
On Mageia 5 i586, a simple transformation works both with xsltproc and python-libxslt using the python code from the test procedure. The result is the same as with libxslt 1.1.28-8.1 .
David Walser 2016-06-07 22:59:14 CEST

Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK

Dave Hodgins 2016-06-07 23:18:07 CEST

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 11 Mageia Robot 2016-06-07 23:40:39 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0217.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.