Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 436284 (CVE-2012-2893) - <dev-libs/libxslt-1.1.27: double free in XSL transforms (CVE-2012-2893)
Summary: <dev-libs/libxslt-1.1.27: double free in XSL transforms (CVE-2012-2893)
Status: RESOLVED FIXED
Alias: CVE-2012-2893
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-09-26 10:29 UTC by Paweł Hajdan, Jr. (RETIRED)
Modified: 2014-01-10 14:53 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Alexandre Rostovtsev (RETIRED) gentoo-dev 2012-09-27 00:06:48 UTC 
Already fixed in dev-libs/libxslt-1.1.27; probably it should be stabilized.
Comment 2 Pacho Ramos gentoo-dev 2012-09-27 06:52:03 UTC 
(In reply to comment #1)
> Already fixed in dev-libs/libxslt-1.1.27; probably it should be stabilized.

+1
Comment 3 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-09-27 07:32:39 UTC 
Arches, please go ahead.
Comment 4 Vicente Olivert Riera (RETIRED) gentoo-dev 2012-09-27 12:37:32 UTC 
Tested amd64: all fine here.

Just a little change to the ebuild. The lines 108 and 109 should be moved into the "if use python" statement you can see few lines before, because if you don't have python USE flag activated, you will see this message at the "installation phase":

mv: cannot stat '/var/tmp/portage/dev-libs/libxslt-1.1.27/image//usr/share/doc/libxslt-python-1.1.27': No such file or directory
Comment 5 Agostino Sarubbo gentoo-dev 2012-09-27 13:14:21 UTC 
(In reply to comment #4)
> Tested amd64: all fine here.
> 
> Just a little change to the ebuild. The lines 108 and 109 should be moved
> into the "if use python" statement you can see few lines before, because if
> you don't have python USE flag activated, you will see this message at the
> "installation phase":
> 
> mv: cannot stat
> '/var/tmp/portage/dev-libs/libxslt-1.1.27/image//usr/share/doc/libxslt-
> python-1.1.27': No such file or directory

good catch, this is fixed now.
Comment 6 Agostino Sarubbo gentoo-dev 2012-09-27 13:17:18 UTC 
amd64 stable
Comment 7 Johannes Huber (RETIRED) gentoo-dev 2012-09-28 12:31:00 UTC 
x86 stable
Comment 8 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2012-09-28 18:14:23 UTC 
ppc/ppc64 stable
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2012-09-29 16:11:12 UTC 
alpha/arm/ia64/m68k/s390/sh/sparc stable
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2012-09-29 17:39:54 UTC 
Stable for HPPA.
Comment 11 Sean Amoss (RETIRED) gentoo-dev Security 2012-09-30 01:46:41 UTC 
Thanks, everyone.

GLSA on the way.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2012-09-30 20:17:49 UTC 
CVE-2012-2893 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2893):
  Double free vulnerability in libxslt, as used in Google Chrome before
  22.0.1229.79, allows remote attackers to cause a denial of service or
  possibly have unspecified other impact via vectors related to XSL
  transforms.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2014-01-10 14:53:23 UTC 
This issue was resolved and addressed in
 GLSA 201401-07 at http://security.gentoo.org/glsa/glsa-201401-07.xml
by GLSA coordinator Sergey Popov (pinkbyte).