In chromium, libxslt was updated to a pre-1.1.29 snapshot in a single commit, so I couldn't easily find the updates for the 2 security issues they list.

On top of the snapshot, chromium's libxslt has a slightly different version of upstream's later commit https://git.gnome.org/browse/libxslt/commit/?id=69ec3da1b653024aca6515ddd4adc91919dd188e so that should be the fix for "CVE-2016-1683: Out-of-bounds access".

Maybe the libxslt package in cauldron should be updated to 1.1.29? It contains the above fix and others... I'm still not sure what is meant with the "Integer overflow" CVE-2016-1684, though.

Yes, I think we should update to the latest upstream snapshot.

Thanks Christiaan for the update in Cauldron.  You should split those two libraries with different majors into different subpackages though.  Once that's done, we can sync the update to Mageia 5 as well.

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Both libxslt.so.1 and libexslt.so.0 are already part of libxslt 1.1.28 so I don't  see why we would want to split up the library package for mga5.

Version: 5 => Cauldron

Oh, in the diff it looked like the major of one of them changed.  Hopefully they won't change and it will be ok.

Version: Cauldron => 5

Since there are no security references for libxslt 1.1.29 other than the one already fixed in MGA5, I'm not sure what to put in a security advisory. There is now some info in the redhat bugzilla issues, however:
https://bugzilla.redhat.com/show_bug.cgi?id=1340016
https://bugzilla.redhat.com/show_bug.cgi?id=1340017

Version: 5 => Cauldron

Christiaan,

As we can see from the RedHat bugs, they link upstream commits which we can definitively see were included in the 1.1.29 release that you updated Cauldron to, so we now know that these issues are fixed in Cauldron, so please leave the version on this bug set to 5.

It looks like all we need to do is update Mageia 5 to 1.1.29 as well.  As far as the advisory, there indeed isn't much information available about these issues, so it could read generically like:

"The libxslt package has been updated to version 1.1.29, which fixes several
bugs and possible security issues, including an out-of-bounds memory access
(CVE-2016-1683) and integer overflow (CVE-2016-1684)."

With references including the Chrome advisory in Comment 0 and the upstream release notes or changelog for libxslt 1.1.29 if there's one available online.

Thanks!

Version: Cauldron => 5

[Version change was due to some known problem with bugzilla or browser, I didn't change it.]

Packages are ready for testing:

MGA5
SRPM:
libxslt-1.1.29-1.mga5.src.rpm
RPMS:
xsltproc-1.1.29-1.mga5.i586.rpm
libxslt1-1.1.29-1.mga5.i586.rpm
python-libxslt-1.1.29-1.mga5.i586.rpm
libxslt-devel-1.1.29-1.mga5.i586.rpm
xsltproc-1.1.29-1.mga5.x86_64.rpm
lib64xslt1-1.1.29-1.mga5.x86_64.rpm
python-libxslt-1.1.29-1.mga5.x86_64.rpm
lib64xslt-devel-1.1.29-1.mga5.x86_64.rpm

Test procedure: https://wiki.mageia.org/en/QA_procedure:Libxslt


Advisory (based on David's text, thanks!):


The libxslt package has been updated to version 1.1.29, which fixes several
bugs and possible security issues, including an out-of-bounds memory access
(CVE-2016-1683) and integer overflow (CVE-2016-1684), and provides other improvements.

References:
http://xmlsoft.org/XSLT/news.html
http://googlechromereleases.blogspot.com/2016/05/stable-channel-update_25.html

Assignee: shlomif => qa-bugs

Tests using the test procedure at the command-line and in Chromium all seem to work fine, Mageia 5 x86_64.

Whiteboard: (none) => MGA5-64-OK

On Mageia 5 i586, a simple transformation works both with xsltproc and python-libxslt using the python code from the test procedure. The result is the same as with libxslt 1.1.28-8.1 .

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0217.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED