Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 684206 (CVE-2019-11068) - <dev-libs/libxslt-1.1.33-r1: xsltCheckRead and xsltCheckWrite routines security bypass by crafted URL (CVE-2019-11068)
Summary: <dev-libs/libxslt-1.1.33-r1: xsltCheckRead and xsltCheckWrite routines securi...
Status: RESOLVED FIXED
Alias: CVE-2019-11068
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://nvd.nist.gov/vuln/detail/CVE-...
Whiteboard: A4 [noglsa cve]
Keywords:
Depends on:
Blocks: 675382
  Show dependency tree
 
Reported: 2019-04-23 17:47 UTC by Hans de Graaff
Modified: 2019-08-11 01:11 UTC (History)
1 user (show)

See Also:
Package list:
dev-libs/libxslt-1.1.33-r1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments
Working version of the patch - no longer downloadable (libxslt-1.1.33-CVE-2019-11068.patch,3.87 KB, patch)
2019-07-16 09:35 UTC, Bryant Hansen
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev Security 2019-04-23 17:47:36 UTC
libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded.

https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6
Comment 1 Larry the Git Cow gentoo-dev 2019-05-14 05:21:03 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9128cdb81b317f56cf4605404e556b8681152fe9

commit 9128cdb81b317f56cf4605404e556b8681152fe9
Author:     Robin H. Johnson <robbat2@gentoo.org>
AuthorDate: 2019-05-14 05:20:16 +0000
Commit:     Robin H. Johnson <robbat2@gentoo.org>
CommitDate: 2019-05-14 05:20:55 +0000

    dev-libs/libxslt: bump with patch for CVE-2019-11068
    
    Fixes: https://bugs.gentoo.org/684206
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>

 dev-libs/libxslt/Manifest                 |   2 +
 dev-libs/libxslt/libxslt-1.1.33-r1.ebuild | 125 ++++++++++++++++++++++++++++++
 2 files changed, 127 insertions(+)
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2019-05-14 05:24:09 UTC
security: this bump is in place now; but I notice that the src_test is broken even in the last version in the tree; I think it's a false positive from bad paths in the testsuite somehow.

(this path difference on every test, same in 1.1.33).
test-2.5-1 result
1c1
< compilation error: file ./test-2.5-1.xsl line 2 element stylesheet
---
> compilation error: file /var/tmp/portage/dev-libs/libxslt-1.1.32/work/libxslt-1.1.32/tests/REC/test-2.5-1.xsl line 2 element stylesheet
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2019-05-14 18:49:11 UTC
arm64 stable
Comment 4 Rolf Eike Beer archtester 2019-05-17 19:48:08 UTC
sparc stable
Comment 5 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-05-20 11:47:18 UTC
amd64 stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2019-05-22 08:13:26 UTC
ia64 stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2019-05-25 07:57:22 UTC
ppc stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2019-05-25 08:02:25 UTC
ppc64 stable
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2019-05-26 07:08:42 UTC
hppa stable
Comment 10 Larry the Git Cow gentoo-dev 2019-06-04 07:53:03 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1aa3e24bdbc61cdc08956e8dfed3a4232ee447db

commit 1aa3e24bdbc61cdc08956e8dfed3a4232ee447db
Author:     Tobias Klausmann <klausman@gentoo.org>
AuthorDate: 2019-06-04 07:52:22 +0000
Commit:     Tobias Klausmann <klausman@gentoo.org>
CommitDate: 2019-06-04 07:52:38 +0000

    dev-libs/libxslt-1.1.33-r1: alpha stable
    
    Bug: http://bugs.gentoo.org/684206
    Signed-off-by: Tobias Klausmann <klausman@gentoo.org>

 dev-libs/libxslt/libxslt-1.1.33-r1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 11 Agostino Sarubbo gentoo-dev 2019-06-04 18:54:22 UTC
s390 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 12 Markus Meier gentoo-dev 2019-06-13 04:27:36 UTC
arm stable
Comment 13 Larry the Git Cow gentoo-dev 2019-07-07 18:58:50 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=63a57c62a64f107d7ab34da854ac7a7a218fe5a6

commit 63a57c62a64f107d7ab34da854ac7a7a218fe5a6
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-07-07 18:21:47 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-07-07 18:58:40 +0000

    dev-libs/libxslt: security cleanup
    
    Bug: https://bugs.gentoo.org/684206
    Package-Manager: Portage-2.3.68, Repoman-2.3.16
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 dev-libs/libxslt/Manifest              |   1 -
 dev-libs/libxslt/libxslt-1.1.32.ebuild | 123 ---------------------------------
 2 files changed, 124 deletions(-)
Comment 14 Bryant Hansen 2019-07-16 08:48:17 UTC
The Manifest for libxslt-1.1.33-r1 is out-of-date.

The patch has a version number at the end of the file: 2.21.0.

This results in a checksum failure.

When inspecting another system where the install worked correctly, I can see that the patch has the version 2.18.1.  This yields the correct checksum.

It appears that upstream has updated the file without changing any naming or versioning information.

Is this worth a new bug, or is this bug the proper place to report?


Note that in my emerge process, the patch has disappeared completely from the default mirror that I use.

http://mirror.switch.ch/ftp/mirror/gentoo/distfiles/libxslt-1.1.33.tar.gz fails with "ERROR 410: Gone"

https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6.patch
succeeds.

In my version of the Manifest file, the checksums are as follows:

DIST libxslt-1.1.33-CVE-2019-11068.patch 3965 BLAKE2B eb3a0741ac9f464e31e8edd276fec4d837c63676a56a446ad42a0e251508bacb0129cbe18783de305336eaa32b189ffc23e95e03cfd5f940d4dee376f1fa0f8c SHA512 9a97c5038809aaf64cb4eb7d67b95acc4b62236d7613a5f753e2a0f4c9e707c22cd07bda2e518d3f36a40b9ed5aa93496b743998c7adadb84ca147e045e35948

Would it be useful to attach the working and broken versions of the patch?
Comment 15 Bryant Hansen 2019-07-16 09:35:04 UTC
Created attachment 582962 [details, diff]
Working version of the patch - no longer downloadable

Current URL used to download via portage:
https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6.patch

Reference to the forum discussion:
https://forums.gentoo.org/viewtopic-p-8352262.html
Comment 16 Bryant Hansen 2019-07-16 15:15:11 UTC
This appears to be a problem with the mirror I was using:

GENTOO_MIRRORS="http://mirror.switch.ch/ftp/mirror/gentoo/"

I've used this mirror for years on multiple systems without issue.  I can perform a clean merge of libxslt-1.1.33-r1 via multiple other mirrors without issue.

Pardon the misplaced noise.  Perhaps an admin may want to delete these comments?