222499 CVE-2008-1767 2008-05-17 12:02 0000 dev-libs/libxslt <1.1.24 XSL match processing overflow (CVE-2008-1767) 2008-06-08 20:51:53 0000 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://bugzilla.gnome.org/show_bug.cgi?id=527297 A2 [glsa] P2 normal --- 218643 1 rbu@gentoo.org security@gentoo.org arm@gentoo.org astinus@gentoo.org gnome@gentoo.org m68k@gentoo.org s390@gentoo.org sh@gentoo.org rbu@gentoo.org 2008-05-17 12:02:14 0000 Anthony de Almeida Lopes reported a buffer overflow in libxslt when parsing XSL files. The issue was fixed in the freshly released 1.1.24, a patch and PoC can be found in this bug: http://bugzilla.gnome.org/show_bug.cgi?id=527297 This issue is SEMI-PULIC, so we can push fixes to the tree, as long as they do not mention security implications. Gilles, Leonardo, Daniel, would you rather bump and fast-stable, or patch? Embargo date is 2008-05-21 7:00 UTC dang@gentoo.org 2008-05-19 17:40:26 0000 Sorry for the delay. I've done the bump to 1.1.24. rbu@gentoo.org 2008-05-20 11:50:01 0000 Arch Security Liaisons, please test and mark stable: =dev-libs/libxslt-1.1.24 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 release s390 sh sparc x86" CC'ing current Liaisons: alpha : yoswink amd64 : welp hppa : jer ppc : dertobi123 ppc64 : corsair release : pva sparc : fmccor x86 : opfer rbu@gentoo.org 2008-05-20 11:51:52 0000 Solar, I'm cc'ing you as for infra part. fmccor@gentoo.org 2008-05-20 14:03:53 0000 Sparc stable. I'm assuming that this is expected from the test suite in several places: ================================== ## Running general tests bug-165 result 0a1,4 > runtime error: file ./bug-165.xsl line 6 element value-of > Variable pStyle has not been declared. > runtime error: file ./bug-165.xsl line 6 element value-of > XPath evaluation returned no result. =================================== dertobi123@gentoo.org 2008-05-20 14:34:30 0000 ppc stable jer@gentoo.org 2008-05-20 16:02:32 0000 Stable for HPPA. yoswink@gentoo.org 2008-05-20 16:33:42 0000 - Compiles fine with python and crypt use flags on - Testsuite successfull. - The app was able to build html pygtksourceview documentation just fine. alpha stable. fauli@gentoo.org 2008-05-20 18:38:15 0000 stable for x86...do I remember correctly that such stabilisations as these should take place without mentioning the word "security" in ChangeLog comment? If yes, this is a kindly reminder to everyone. rbu@gentoo.org 2008-05-20 18:45:30 0000 (In reply to comment #8) > stable for x86...do I remember correctly that such stabilisations as these > should take place without mentioning the word "security" in ChangeLog comment? > If yes, this is a kindly reminder to everyone. That's correct. We try to keep a low profile in SEMI-PUBLIC situations, and not mention any security impact in public changelogs. dang@gentoo.org 2008-05-20 18:58:51 0000 fmccor: Those test failures occur on amd64 as well. Since they don't cause build failures, I missed them. However, sparc, is not alone. jer@gentoo.org 2008-05-20 19:06:18 0000 (In reply to comment #9) > That's correct. We try to keep a low profile in SEMI-PUBLIC situations, and not > mention any security impact in public changelogs. I "fixed" fmccor's ChangeLog entry (deleted "Security", that's all). Nothing I can do about the commit message, of course. Maybe it's a good thing to always simply mention the bug number if keywording is all you're doing - that should be all anyone needs to know anyhow, as the bug will normally explain the rest. There's a lot to be said for keeping ChangeLog entries brief and to the point in general. fmccor@gentoo.org 2008-05-20 19:19:06 0000 At one point, I was under the impression that when it was a security bug, we mentioned that in the Changelog to explain why things were going immediately to stable. Is that not the case? corsair@gentoo.org 2008-05-21 06:07:35 0000 ppc64 stable yoswink@gentoo.org 2008-05-21 09:17:31 0000 (In reply to comment #9) > That's correct. We try to keep a low profile in SEMI-PUBLIC situations, and not > mention any security impact in public changelogs. Oh! Sorry about my changelog entry, didn't know about this SEMI-PUBLIC special cases. I've removed it. (In reply to comment #12) > At one point, I was under the impression that when it was a security bug, we > mentioned that in the Changelog to explain why things were going immediately to > stable. Is that not the case? I'm all for this. It also helps to know how often a package is affected by security holes. Of course, we can make the necessary exceptions to this rule, like this semi-public keyword situation. vorlon@gentoo.org 2008-05-21 10:39:15 0000 This is now public via http://rhn.redhat.com/errata/RHSA-2008-0287.html Removing security liaisons and adding remaining arch teams. armin76@gentoo.org 2008-05-22 17:40:24 0000 ia64 stable maekke@gentoo.org 2008-05-22 18:18:56 0000 Not multilib-strict: Files matching a file type that is not allowed: usr/lib/python2.4/site-packages/libxsltmod.so * * ERROR: dev-libs/libxslt-1.1.24 failed. * Call stack: * misc-functions.sh, line 609: Called install_qa_check * misc-functions.sh, line 360: Called die * The specific snippet of code: * [[ ${abort} == yes ]] && die "multilib-strict check failed!" * The die message: * multilib-strict check failed! Portage 2.1.4.4 (default/linux/amd64/2008.0/desktop, gcc-4.1.2, glibc-2.6.1-r0, 2.6.25.3 x86_64) ================================================================= System uname: 2.6.25.3 x86_64 Intel(R) Core(TM)2 Duo CPU T8300 @ 2.40GHz Timestamp of tree: Thu, 22 May 2008 16:37:01 +0000 app-shells/bash: 3.2_p33 dev-java/java-config: 1.3.7, 2.1.4 dev-lang/python: 2.4.4-r9 dev-python/pycrypto: 2.0.1-r6 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r1 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.23-r3 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /opt/openfire/resources/security/ /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/bind /var/lib/hsqldb /var/qmail/alias /var/qmail/control /var/spool/torque" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d" CXXFLAGS="-O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="buildpkg collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test unmerge-orphans userfetch userpriv usersandbox" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" PKGDIR="/mnt/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X acl acpi alsa amd64 apache2 berkdb bluetooth branding bzip2 cairo cdr cli cracklib crypt cups dbus dri dvd dvdr dvdread eds emboss encode esd evo fam firefox fortran gdbm gif gnome gpm gstreamer gtk hal iconv ipv6 isdnlog jpeg kde kerberos ldap libnotify mad midi mikmod mmx mp3 mpeg mudflap multilib ncurses nls nptl nptlonly ogg opengl openmp pam pcre pdf perl png ppds pppd python qt3 qt3support qt4 quicktime readline reflection sdl session spell spl sse sse2 ssl startup-notification svg tcpd test tiff truetype unicode vorbis xml xorg xv zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="fbdev glint i810 mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa vga via vmware voodoo" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, MAKEOPTS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY rbu@gentoo.org 2008-05-22 18:23:15 0000 maekke, I believe that is bug 218643. dang@gentoo.org 2008-05-23 15:07:31 0000 Probably. I have amd64 and multilib-strict, so it's certainly fine with python 2.5. maekke@gentoo.org 2008-05-23 20:58:07 0000 amd64 stable pva@gentoo.org 2008-05-24 13:39:18 0000 Fixed in release snapshot. keytoaster@gentoo.org 2008-05-27 20:53:38 0000 GLSA request filed. keytoaster@gentoo.org 2008-06-08 20:51:53 0000 GLSA 200806-02