Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 402861 (CVE-2011-3970)

Summary: <dev-libs/libxslt-1.1.26-r3 : Out-of-bounds read when parsing certain patterns (CVE-2011-3970)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: gnome
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=788826
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2012-02-09 12:48:17 UTC
From redhat bugzilla at $URL:

Common Vulnerabilities and Exposures assigned an identifier CVE-2011-3970 to
the following vulnerability:

Name: CVE-2011-3970
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3970
Assigned: 20111001
Reference: CONFIRM:http://code.google.com/p/chromium/issues/detail?id=110277
Reference:
CONFIRM:http://googlechromereleases.blogspot.com/2012/02/stable-channel-update.html

libxslt, as used in Google Chrome before 17.0.963.46, allows remote
attackers to cause a denial of service (out-of-bounds read) via
unspecified vectors.


patch:
http://git.gnome.org/browse/libxslt/commit/?id=fe5a4fa33eb85bce3253ed3742b1ea6c4b59b41b
Comment 1 Alexandre Rostovtsev (RETIRED) gentoo-dev 2012-02-09 19:35:14 UTC
Thanks for reporting, fixed in libxslt-1.1.26-r3.

>*libxslt-1.1.26-r3 (09 Feb 2012)
>
>  09 Feb 2012; Alexandre Rostovtsev <tetromino@gentoo.org>
>  -libxslt-1.1.26.ebuild, -libxslt-1.1.26-r1.ebuild, +libxslt-1.1.26-r3.ebuild,
>  +files/libxslt-1.1.26-pattern-out-of-bounds-read.patch:
>  Fix out-of-bounds read in xsltCompilePatternInternal (bug #402861,
>  CVE-2011-3970, thanks to Agostino Sarubbo for reporting). Update to EAPI4.
>  Drop old.
Comment 2 Agostino Sarubbo gentoo-dev 2012-02-09 19:44:08 UTC
Thanks Alexandre.

Arches, please test and mark stable
=dev-libs/libxslt-1.1.26-r3
target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 3 Ian Delaney (RETIRED) gentoo-dev 2012-02-09 21:11:29 UTC
Passed test phase, rev deps.

amd64 looks ok
Comment 4 Maurizio Camisaschi (amd64 AT) 2012-02-09 22:01:44 UTC
amd64 ok
Comment 5 Agostino Sarubbo gentoo-dev 2012-02-10 07:44:40 UTC
amd64 stable
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2012-02-10 17:15:00 UTC
Stable for HPPA.
Comment 7 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-02-10 21:46:29 UTC
x86 stable
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2012-02-11 19:07:48 UTC
alpha/arm/ia64/m68k/s390/sh/sparc stable
Comment 9 Brent Baude (RETIRED) gentoo-dev 2012-02-28 19:59:05 UTC
ppc done
Comment 10 Samuli Suominen (RETIRED) gentoo-dev 2012-03-02 20:05:38 UTC
ppc64 done, last arch done
Comment 11 Agostino Sarubbo gentoo-dev 2012-03-02 20:15:39 UTC
@security:

please vote.
Comment 12 Tim Sammut (RETIRED) gentoo-dev 2012-03-02 21:27:03 UTC
Thanks, everyone. GLSA Vote: yes.
Comment 13 Sean Amoss (RETIRED) gentoo-dev Security 2012-03-03 04:30:25 UTC
GLSA vote: yes. Creating GLSA request.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2012-03-06 02:09:19 UTC
This issue was resolved and addressed in
 GLSA 201203-08 at http://security.gentoo.org/glsa/glsa-201203-08.xml
by GLSA coordinator Sean Amoss (ackle).