Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 612194 (CVE-2017-5029)

Summary: <dev-libs/libxslt-1.1.30: integer overflow
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: bugs, chromium, gnome, Manfred.Knick, toralf
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1431033
See Also: https://bugs.gentoo.org/show_bug.cgi?id=598204
Whiteboard: A2 [glsa+ cve]
Package list:
=dev-libs/libxslt-1.1.30-r2
Runtime testing required: ---
Bug Depends on: 630022, 630024    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2017-03-10 11:25:52 UTC
From ${URL} :

An integer overflow flaw was found in the libxslt component of the Chromium browser.

Upstream bug(s):

https://code.google.com/p/chromium/issues/detail?id=676623

External References:

https://chromereleases.googleblog.com/2017/03/stable-channel-update-for-desktop.html


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2017-05-17 01:15:46 UTC
Please confirm if this was fixed in Bug# 612190
Comment 2 Mike Gilbert gentoo-dev 2017-05-17 03:02:16 UTC
(In reply to Yury German from comment #1)
> Please confirm if this was fixed in Bug# 612190

Almost certainly not. There is no mention of dev-libs/libxslt in that bug report.
Comment 3 Mike Gilbert gentoo-dev 2017-05-17 03:06:33 UTC
Upstream fix is here:

https://git.gnome.org/browse/libxslt/commit/?id=08ab2774b870de1c7b5a48693df75e8154addae5

As far as I can tell, it has not been include in any versioned release yet.
Comment 4 Thomas Deutschmann gentoo-dev Security 2017-06-06 13:53:11 UTC
@ Maintainer(s): Please consider a rev bump to add patches for this vulnerability and bug 598204.
Comment 5 Gilles Dartiguelongue gentoo-dev 2017-09-05 06:59:10 UTC
This patch made it to 1.1.30 release that I just added to the tree.
Comment 6 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-05 15:49:16 UTC
Thank you Gilles,

@Arches please test and mark stable,  CCing HPPA till we have a final resolution in Bug 629554.


Gentoo Security Padawan
ChrisADR
Comment 7 Pacho Ramos gentoo-dev 2017-09-05 19:02:31 UTC
Please note I have just noticed systemd stopping building with this version (#630022). It's because of this commit:
https://git.gnome.org/browse/libxslt/commit/?id=1c8e0e556289582fece6f1a59113a7a5bef46ba4

Maybe Toralf could run a *stable* tinderbox to rebuild all dev-libs/libxslt reverse deps and see if others are broken too :/ Thanks! :)
Comment 8 Toralf Förster gentoo-dev 2017-09-05 20:18:09 UTC
(In reply to Pacho Ramos from comment #7)
Sure, for dev-libs/libxslt-1.1.30 being keyworded at that stable image or for the current stable 1.1.29 ?
Comment 9 Mike Gilbert gentoo-dev 2017-09-05 20:29:32 UTC
Adding app-text/docbook-xsl-stylesheets-1.79.1-r2 for bug 630022 and 630024.
Comment 10 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-09-05 21:12:20 UTC
Removing arches until Toralf finishes his tinderbox run.
Comment 11 Mike Gilbert gentoo-dev 2017-09-05 21:17:41 UTC
(In reply to Aaron Bauman from comment #10)
> Removing arches until Toralf finishes his tinderbox run.

It would probably be useful to start over with app-text/docbook-xsl-stylesheets-1.79.1-r2 installed -- otherwise we are going to end up with a bunch of duplicates.
Comment 12 Pacho Ramos gentoo-dev 2017-09-06 09:23:43 UTC
(In reply to Toralf Förster from comment #8)
> (In reply to Pacho Ramos from comment #7)
> Sure, for dev-libs/libxslt-1.1.30 being keyworded at that stable image or
> for the current stable 1.1.29 ?

For 1.1.30 :)
Comment 13 Toralf Förster gentoo-dev 2017-09-13 13:06:57 UTC
(In reply to Pacho Ramos from comment #12)
Well, so >4,600 packages already emerged here at the run/13.0-desktop-gnome-systemd_stable_20170905-222907 image, will let it continue to run few more days, but seems fine so far.
Comment 14 Pacho Ramos gentoo-dev 2017-09-14 11:25:53 UTC
Yeah, probably most were caused by app-text/docbook-xsl-stylesheets needing to be adapted and we can go ahead :)

Thanks a lot
Comment 15 Pacho Ramos gentoo-dev 2017-12-02 09:56:37 UTC
*** Bug 639398 has been marked as a duplicate of this bug. ***
Comment 16 Sergei Trofimovich (RETIRED) gentoo-dev 2017-12-03 18:09:23 UTC
hppa stable
Comment 17 Agostino Sarubbo gentoo-dev 2017-12-04 14:41:55 UTC
amd64 stable
Comment 18 Mike Gilbert gentoo-dev 2017-12-05 16:43:59 UTC
I stabilized app-text/docbook-xsl-stylesheets-1.79.1-r2 for all arches.
Comment 19 Sergei Trofimovich (RETIRED) gentoo-dev 2017-12-06 22:53:32 UTC
sparc stable (thanks to Rolf Eike Beer)
Comment 20 Thomas Deutschmann gentoo-dev Security 2017-12-08 20:40:18 UTC
x86 stable
Comment 21 Sergei Trofimovich (RETIRED) gentoo-dev 2017-12-09 19:38:06 UTC
ia64 stable
Comment 22 Sergei Trofimovich (RETIRED) gentoo-dev 2017-12-09 20:00:48 UTC
alpha stable

Was done as:

commit f1b3d8c2b835778d45d9645a02f0a0369a93f25e
Author: Tobias Klausmann <klausman@gentoo.org>
Date:   Mon Nov 6 21:49:24 2017 +0100
Comment 23 Markus Meier gentoo-dev 2017-12-12 18:38:07 UTC
arm stable, all arches done.
Comment 24 Mart Raudsepp gentoo-dev 2017-12-13 09:48:51 UTC
I've removed security supported arch keywords from the vulnerable version. Don't want to break arm64 stage3 building even more before I can stabilize libxslt there and clean up the ebuild. This should be sufficient for security purposes for supported arches.
Comment 25 Mart Raudsepp gentoo-dev 2018-03-02 17:07:58 UTC
cleanup fully done after stabling arm64; I don't see a glsa vote having happened here?
Comment 26 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-04-03 19:41:28 UTC
GLSA request filed.
Comment 27 GLSAMaker/CVETool Bot gentoo-dev 2018-04-04 01:52:50 UTC
This issue was resolved and addressed in
 GLSA 201804-01 at https://security.gentoo.org/glsa/201804-01
by GLSA coordinator Aaron Bauman (b-man).