Bug 7480 - libxslt new security issues CVE-2011-1202, CVE-2012-2870 and CVE-2012-2871
: libxslt new security issues CVE-2011-1202, CVE-2012-2870 and CVE-2012-2871
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/516319/
: MGA1TOO has_procedure mga1-32-OK mga1...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-09-14 21:38 CEST by David Walser
Modified: 2012-09-15 20:17 CEST (History)
3 users (show)

See Also:
Source RPM: libxslt
CVE:


Attachments

Description David Walser 2012-09-14 21:38:25 CEST
RedHat has issued an advisory on September 13:
https://rhn.redhat.com/errata/RHSA-2012-1265.html
Comment 1 David Walser 2012-09-14 21:57:37 CEST
Their update also fixes CVE-2011-1202, which is not fixed in our Mageia 1 package.
Comment 2 David Walser 2012-09-14 22:16:13 CEST
Patched packages uploaded for Mageia 1, Mageia 2, and Cauldron.

Advisory (Mageia 1):
========================

Updated libxslt packages fix security vulnerabilities:

An information leak could occur if an application using libxslt processed
an untrusted XPath expression, or used a malicious XSL file to perform an
XSL transformation. If combined with other flaws, this leak could possibly
help an attacker bypass intended memory corruption protections
(CVE-2011-1202).

libxslt 1.1.26 and earlier does not properly manage memory, which might
allow remote attackers to cause a denial of service (application crash)
via a crafted XSLT expression that is not properly identified during XPath
navigation, related to (1) the xsltCompileLocationPathPattern function in
libxslt/pattern.c and (2) the xsltGenerateIdFunction function in
libxslt/functions.c (CVE-2012-2870).

A heap-based buffer overflow flaw was found in the way libxslt applied
templates to nodes selected by certain namespaces. An attacker could use
this flaw to create a malicious XSL file that, when used by an application
linked against libxslt to perform an XSL transformation, could cause the
application to crash or, possibly, execute arbitrary code with the
privileges of the user running the application (CVE-2012-2871).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1202
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2870
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2871
https://rhn.redhat.com/errata/RHSA-2012-1265.html

Advisory (Mageia 2):
========================

Updated libxslt packages fix security vulnerabilities:

libxslt 1.1.26 and earlier does not properly manage memory, which might
allow remote attackers to cause a denial of service (application crash)
via a crafted XSLT expression that is not properly identified during XPath
navigation, related to (1) the xsltCompileLocationPathPattern function in
libxslt/pattern.c and (2) the xsltGenerateIdFunction function in
libxslt/functions.c (CVE-2012-2870).

A heap-based buffer overflow flaw was found in the way libxslt applied
templates to nodes selected by certain namespaces. An attacker could use
this flaw to create a malicious XSL file that, when used by an application
linked against libxslt to perform an XSL transformation, could cause the
application to crash or, possibly, execute arbitrary code with the
privileges of the user running the application (CVE-2012-2871).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2870
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2871
https://rhn.redhat.com/errata/RHSA-2012-1265.html
========================

Updated packages in core/updates_testing:
========================
xsltproc-1.1.26-5.3.mga1
libxslt1-1.1.26-5.3.mga1
python-libxslt-1.1.26-5.3.mga1
libxslt-devel-1.1.26-5.3.mga1
xsltproc-1.1.26-6.20120127.3.mga2
libxslt1-1.1.26-6.20120127.3.mga2
python-libxslt-1.1.26-6.20120127.3.mga2
libxslt-devel-1.1.26-6.20120127.3.mga2

from SRPMS:
libxslt-1.1.26-5.3.mga1.src.rpm
libxslt-1.1.26-6.20120127.3.mga2.src.rpm
Comment 3 claire robinson 2012-09-15 12:23:37 CEST
No PoC's that I can find.

CVE's mainly refer to it's use in google chrome so testing with chromium-browser with the tests found if you scroll down here: http://greenbytes.de/tech/tc/xslt/
Comment 4 claire robinson 2012-09-15 12:48:47 CEST
Testing complete Mga2 64 for lib64xslt1, python-libxslt & xsltproc

We have a QA procedure for this on the wiki:
https://wiki.mageia.org/en/QA_procedure:Libxslt

$ strace -o strace.out chromium-browser && grep xslt strace.out | grep -v "such file"

open("/usr/lib64/libxslt.so.1", O_RDONLY) = 3

(This line shows it loading the external lib)

Other tests produce html output as per the wiki.
Comment 5 claire robinson 2012-09-15 12:56:56 CEST
Testing complete Mga1 32
Comment 6 claire robinson 2012-09-15 13:08:54 CEST
Testing complete mga1-64-OK
Comment 7 Shlomi Fish 2012-09-15 14:13:40 CEST
Testing complete mga2-32-OK. Everything seems fine.

Regards,

-- Shlomi Fish
Comment 8 claire robinson 2012-09-15 14:26:27 CEST
Thankyou Shlomi

Validating

See comment 2 for srpm's and advisories. They are different for mga1 and mga2.

Could sysadmin please push from core/updates_testing to core/updates

Thanks!

Note You need to log in before you can comment on or make changes to this bug.