Bug 24705 - libxslt new security issue CVE-2019-11068
Summary: libxslt new security issue CVE-2019-11068
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-04-22 23:23 CEST by David Walser
Modified: 2019-05-18 14:34 CEST (History)
6 users (show)

See Also:
Source RPM: libxslt-1.1.33-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-04-22 23:23:57 CEST
Ubuntu has issued an advisory on April 15:
https://usn.ubuntu.com/3947-1/

Mageia 6 is also affected.
David Walser 2019-04-22 23:24:03 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2019-04-23 20:29:06 CEST
Assigning to our registered libxslt maintainer.

Assignee: bugsquad => shlomif
CC: (none) => marja11

Comment 2 David Walser 2019-04-25 13:22:00 CEST
Critical severity issue according to:
https://www.openwall.com/lists/oss-security/2019/04/23/5

Severity: major => critical

Comment 3 David Walser 2019-04-25 14:49:12 CEST
libxslt-1.1.33-2.mga7 uploaded for Cauldron by Shlomi to fix this.

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 4 David Walser 2019-04-25 19:51:47 CEST
Patched package uploaded by Shlomi for Mageia 6.

Advisory:
========================

Updated libxslt packages fix security vulnerability:

libxslt through 1.1.33 allows bypass of a protection mechanism because callers
of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1
error code. xsltCheckRead can return -1 for a crafted URL that is not actually
invalid and is subsequently loaded (CVE-2019-11068).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11068
https://usn.ubuntu.com/usn/usn-3947-1
========================

Updated packages in core/updates_testing:
========================
xsltproc-1.1.29-6.mga6
libxslt1-1.1.29-6.mga6
python-libxslt-1.1.29-6.mga6
libxslt-devel-1.1.29-6.mga6

from libxslt-1.1.29-6.mga6.src.rpm

CC: (none) => shlomif
Assignee: shlomif => qa-bugs

Comment 5 PC LX 2019-04-28 11:05:40 CEST
The package version of the mga6 updates is the same as the previous packages. Shouldn't release be bumped up? Otherwise it will not show up in the updates.

$ rpm -qi xsltproc  | egrep "Name|Version|Release|Build Date|Source|Arch"
Name        : xsltproc
Version     : 1.1.29
Release     : 6.mga6
Architecture: x86_64
Source RPM  : libxslt-1.1.29-6.mga6.src.rpm
Build Date  : Sex 26 Mai 2017 07:56:20 WEST

CC: (none) => mageia

Comment 6 Herman Viaene 2019-05-01 14:58:43 CEST
Using the QArepo tool, the listed versions appear in the updates. I can also confirm that the packages are also in the regular repo. I ran the tests from the wiki to be sure all is still OK, but this update bug seems rather useless if no real updates are in it. OK it, might just make it disappear from the list, but is that what is needed????

CC: (none) => herman.viaene

Comment 7 PC LX 2019-05-01 20:27:21 CEST
The xsltproc package in the "core updates testing" repository and the xsltproc package in the "core release" repository have the same version+release.
Because of that, the update is not showing when updating the system. The release needs to be bumped up.


$ wget --quiet 'http://ftp.free.fr/mirrors/mageia.org/distrib/6/x86_64/media/core/updates_testing/xsltproc-1.1.29-6.mga6.x86_64.rpm'
$ rpm -qip xsltproc-1.1.29-6.mga6.x86_64.rpm 
.cache/                            vbox/                              xsltproc-1.1.29-6.mga6.x86_64.rpm  
$ rpm -qip xsltproc-1.1.29-6.mga6.x86_64.rpm 
Name        : xsltproc
Version     : 1.1.29
Release     : 6.mga6
Architecture: x86_64
Install Date: (not installed)
Group       : System/Libraries
Size        : 27084
License     : MIT
Signature   : RSA/SHA256, Qui 25 Abr 2019 18:37:54 WEST, Key ID b742fa8b80420f66
Source RPM  : libxslt-1.1.29-6.mga6.src.rpm
Build Date  : Qui 25 Abr 2019 18:35:59 WEST
Build Host  : localhost
Relocations : (not relocatable)
Packager    : shlomif <shlomif>
Vendor      : Mageia.Org
URL         : http://xmlsoft.org/XSLT/
Summary     : XSLT processor using libxslt
Description :
This package provides an XSLT processor based on the libxslt C library.
It allows to transform XML files into other XML files
(or HTML, text, ...) using the standard XSLT stylesheet transformation
mechanism.
$ wget --quiet 'http://ftp.free.fr/mirrors/mageia.org/distrib/6/x86_64/media/core/release/xsltproc-1.1.29-6.mga6.x86_64.rpm'
$ rpm -qip xsltproc-1.1.29-6.mga6.x86_64.rpm.1
Name        : xsltproc
Version     : 1.1.29
Release     : 6.mga6
Architecture: x86_64
Install Date: (not installed)
Group       : System/Libraries
Size        : 27076
License     : MIT
Signature   : RSA/SHA1, Sex 26 Mai 2017 08:10:38 WEST, Key ID b742fa8b80420f66
Source RPM  : libxslt-1.1.29-6.mga6.src.rpm
Build Date  : Sex 26 Mai 2017 07:56:20 WEST
Build Host  : rabbit.mageia.org
Relocations : (not relocatable)
Packager    : neoclust <neoclust>
Vendor      : Mageia.Org
URL         : http://xmlsoft.org/XSLT/
Summary     : XSLT processor using libxslt
Description :
This package provides an XSLT processor based on the libxslt C library.
It allows to transform XML files into other XML files
(or HTML, text, ...) using the standard XSLT stylesheet transformation
mechanism.
Comment 8 David Walser 2019-05-02 05:29:40 CEST
libxslt-1.1.29-6.1.mga6.src.rpm building now.
Comment 9 PC LX 2019-05-02 11:51:19 CEST
Installed and tested without issues.

Tested using: chromium browser, php-xsl, xsltproc, tellico, inkspace. parley.

The xslt libs are also directly or indirectly used by a bunch of other packages on the system and no regressions where noticed.

System: Mageia 6, x86_64, Plasma DE; LXQt DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver.

$ uname -a
Linux marte 4.14.106-desktop-1.mga6 #1 SMP Thu Mar 14 18:01:29 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep xslt.*1.1.29 | sort
lib64xslt1-1.1.29-6.1.mga6
libxslt1-1.1.29-6.1.mga6
xsltproc-1.1.29-6.1.mga6

Whiteboard: (none) => MGA6-64-OK

Comment 10 PC LX 2019-05-10 01:46:53 CEST
Is anything else needed to push this update forward?
Comment 11 Dave Hodgins 2019-05-18 11:52:15 CEST
Advisory committed to svn. Validating the update.

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 12 Mageia Robot 2019-05-18 14:34:11 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0175.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.