Bug 232172 - dev-libs/libxslt >= 1.1.8 <= 1.1.24 heap overflow (CVE-2008-2935)
|
Bug#:
232172
(CVE-2008-2935)
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: major
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: vorlon@gentoo.org
|
|
Component: Vulnerabilities
|
|
|
URL:
http://ocert.org/advisories/ocert-2008-009.html
|
|
Summary: dev-libs/libxslt >= 1.1.8 <= 1.1.24 heap overflow (CVE-2008-2935)
|
|
Keywords:
|
|
Status Whiteboard: A2 [glsa]
|
|
Opened: 2008-07-18 09:36 0000
|
** Please note that this issue is confidential at the moment and no information
should be disclosed until it is made public **
oCERT reports the following, crediting Chris Evans from the Google Security
Team
Description:
The libexslt library bundled with libxslt is affected by a heap-based buffer
overflow which can lead to arbitrary code execution.
The vulnerability is present in the rc4 encryption/decryption functions. An
arbitrary length string, passed as an argument in the XSL input, is incorrectly
copied over a padding variable which is previously allocated with a fixed size
of 128bit (RC4_KEY_LENGTH).
Aside from the heap overflow other bugs affect the code, the length of the
plaintext string argument is used for computing the key length rather than the
actual key and the zero-padding of the key is incorrectly computed.
A simple XML file with excessively long input can be crafted for triggering the
heap overflow.
Affected version:
libxslt >= 1.18, <= 1.1.24
--------
adding eva and dang for the gnome herd, solar for infra as they might be
interested in this
(In reply to comment #0)
> libxslt >= 1.18, <= 1.1.24
this should be >= 1.1.8, <= 1.1.24
dang/eva could you prepare an ebuild with the patch and attach it here, so arch
security liaisons can test it
Created an attachment (id=160719) [details]
Ebuild applying patch
The patch looks correct; that said, there have to have been a lot of
circumstances when it just didn't work before. That made me curious. As far
as the sources on my box and google knows, nothing uses those functions at all.
Maybe they're used indirectly in some way I can't find?
Anyway, I'm attaching an ebuild that applies that patch (renamed to
${P}-exslt_crypt.patch) so it can be tested.
Arch Security Liaisons, please test the attached ebuild and report it stable on
this bug.
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
CC'ing current Liaisons:
alpha : yoswink
amd64 : welp
hppa : jer
ppc : dertobi123
ppc64 : corsair
sparc : fmccor
x86 : opfer
----
dang, probably used indirectly by including the relevant extension
(http://exslt.org/howto.html)
Arch Security Liaisons, please test the attached ebuild and report it stable on
this bug.
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
CC'ing current Liaisons:
alpha : yoswink
amd64 : welp
hppa : jer
ppc : dertobi123
ppc64 : corsair
sparc : fmccor
x86 : opfer
libxslt-1.1.24-r1 looks good on sparc (tests run OK).
Looks good on alpha/ia64/x86
Looks good on amd64 too :D
a bit late, but looks also good on ppc
GNOME team, this will go public tomorrow at 15:00 UTC (17:00 CEST), please
commit after that with the stable keywords gathered in this bug.
Arches, please test and mark stable:
=dev-libs/libxslt-1.1.24-r1
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Already stabled : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Missing keywords: "arm m68k s390 sh"
