Bug 6810 - libxslt new security issue CVE-2012-2825
: libxslt new security issue CVE-2012-2825
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/507084/
: MGA1TOO MGA2-32-OK MGA1-32-OK MGA2-64...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-07-18 00:17 CEST by David Walser
Modified: 2012-07-24 13:41 CEST (History)
4 users (show)

See Also:
Source RPM: libxslt-1.1.26-6.20120127.1.mga2.src.rpm
CVE:


Attachments
zip of files for testing (1.24 KB, application/octet-stream)
2012-07-20 05:22 CEST, Dave Hodgins
Details

Description David Walser 2012-07-18 00:17:00 CEST
OpenSuSE has issued an advisory today (July 17):
http://lists.opensuse.org/opensuse-updates/2012-07/msg00033.html

Patched packages uploaded for Mageia 1, Mageia 2, and Cauldron.

Advisory:
========================

Updated libxslt packages fix security vulnerability:

The XSL implementation in libxslt 1.1.26 and earlier allows remote
attackers to cause a denial of service (incorrect read operation) via
an incorrect read operation (CVE-2012-2825).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2825
http://lists.opensuse.org/opensuse-updates/2012-07/msg00033.html
========================

Updated packages in core/updates_testing:
========================
xsltproc-1.1.26-5.2.mga1
libxslt1-1.1.26-5.2.mga1
python-libxslt-1.1.26-5.2.mga1
libxslt-devel-1.1.26-5.2.mga1
xsltproc-1.1.26-6.20120127.2.mga2
libxslt1-1.1.26-6.20120127.2.mga2
python-libxslt-1.1.26-6.20120127.2.mga2
libxslt-devel-1.1.26-6.20120127.2.mga2

from SRPMS:
libxslt-1.1.26-5.2.mga1.src.rpm
libxslt-1.1.26-6.20120127.2.mga2.src.rpm
Comment 1 Dave Hodgins 2012-07-20 05:22:46 CEST
Created attachment 2568 [details]
zip of files for testing

Files created based on
http://www.w3.org/TR/xslt#section-Examples
Comment 2 Dave Hodgins 2012-07-20 05:24:20 CEST
Testing complete on Mageia 2 i586.

$ xsltproc my.style my.dtd
<?xml version="1.0" encoding="iso-8859-1"?>
<html xmlns="http://www.w3.org/TR/xhtml1/strict">
  <head>
    <title>Document Title</title>
  </head>
  <body>
    <h1>Document Title</h1>
    <h2>Chapter Title</h2>
    <h3>Section Title</h3>
    <p>This is a test.</p>
    <p class="note"><b>NOTE: </b>This is a note.</p>
    <h3>Another Section Title</h3>
    <p>This is <em>another</em> test.</p>
    <p class="note"><b>NOTE: </b>This is another note.</p>
  </body>
</html>

I'll test Mageia 1 i586 shortly.
Comment 3 Dave Hodgins 2012-07-20 05:33:15 CEST
Testing complete on Mageia 1 i586
Comment 4 Samuel Verschelde 2012-07-23 18:22:48 CEST
Testing ok using Dave's procedure and files, on Mageia 2 64 bits
Comment 5 David Walser 2012-07-23 19:05:13 CEST
Mandriva has issued an advisory for this today (July 23):
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:109

I just noticed a mistake in my advisory, so reposting it now.

Advisory:
========================

Updated libxslt packages fix security vulnerability:

The XSL implementation in libxslt 1.1.26 and earlier allows remote
attackers to cause a denial of service (incorrect read operation) via
unspecified vectors (CVE-2012-2825).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2825
http://lists.opensuse.org/opensuse-updates/2012-07/msg00033.html
========================

Updated packages in core/updates_testing:
========================
xsltproc-1.1.26-5.2.mga1
libxslt1-1.1.26-5.2.mga1
python-libxslt-1.1.26-5.2.mga1
libxslt-devel-1.1.26-5.2.mga1
xsltproc-1.1.26-6.20120127.2.mga2
libxslt1-1.1.26-6.20120127.2.mga2
python-libxslt-1.1.26-6.20120127.2.mga2
libxslt-devel-1.1.26-6.20120127.2.mga2

from SRPMS:
libxslt-1.1.26-5.2.mga1.src.rpm
libxslt-1.1.26-6.20120127.2.mga2.src.rpm
Comment 6 Samuel Verschelde 2012-07-23 23:35:42 CEST
Testing complete on Mageia 1 64 bits.

Update validated. See comment #5 for advisory and packages. No linking required. Thanks!
Comment 7 Thomas Backlund 2012-07-24 13:41:12 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0180

Note You need to log in before you can comment on or make changes to this bug.