Summary: | dev-libs/libxslt >= 1.1.8 <= 1.1.24 heap overflow (CVE-2008-2935) | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Matthias Geerdsen (RETIRED) <vorlon> | ||||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||||
Status: | RESOLVED FIXED | ||||||||||
Severity: | major | CC: | gnome, infra-bugs | ||||||||
Priority: | High | ||||||||||
Version: | unspecified | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
URL: | http://ocert.org/advisories/ocert-2008-009.html | ||||||||||
Whiteboard: | A2 [glsa] | ||||||||||
Package list: | Runtime testing required: | --- | |||||||||
Attachments: |
|
Description
Matthias Geerdsen (RETIRED)
2008-07-18 09:36:40 UTC
Created attachment 160702 [details, diff]
patch for CVE-2008-2935
(In reply to comment #0) > libxslt >= 1.18, <= 1.1.24 this should be >= 1.1.8, <= 1.1.24 dang/eva could you prepare an ebuild with the patch and attach it here, so arch security liaisons can test it Created attachment 160719 [details]
Ebuild applying patch
The patch looks correct; that said, there have to have been a lot of circumstances when it just didn't work before. That made me curious. As far as the sources on my box and google knows, nothing uses those functions at all. Maybe they're used indirectly in some way I can't find?
Anyway, I'm attaching an ebuild that applies that patch (renamed to ${P}-exslt_crypt.patch) so it can be tested.
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug. Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" CC'ing current Liaisons: alpha : yoswink amd64 : welp hppa : jer ppc : dertobi123 ppc64 : corsair sparc : fmccor x86 : opfer ---- dang, probably used indirectly by including the relevant extension (http://exslt.org/howto.html) Created attachment 160731 [details]
libxslt-1.1.24-r1.tar.gz
If it helps anyone, here's the overlay incorporating all files.
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug. Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" CC'ing current Liaisons: alpha : yoswink amd64 : welp hppa : jer ppc : dertobi123 ppc64 : corsair sparc : fmccor x86 : opfer HPPA is OK. libxslt-1.1.24-r1 looks good on sparc (tests run OK). Looks good on alpha/ia64/x86 looks good on ppc64 Looks good on amd64 too :D a bit late, but looks also good on ppc GNOME team, this will go public tomorrow at 15:00 UTC (17:00 CEST), please commit after that with the stable keywords gathered in this bug. ebuild commited. Arches, please test and mark stable: =dev-libs/libxslt-1.1.24-r1 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" Already stabled : "alpha amd64 hppa ia64 ppc ppc64 sparc x86" Missing keywords: "arm m68k s390 sh" GLSA 200808-06 |