Bug 612194 (CVE-2017-5029)

Summary:	<dev-libs/libxslt-1.1.30: integer overflow
Product:	Gentoo Security	Reporter:	Agostino Sarubbo <ago>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	major	CC:	bugs, chromium, gnome, Manfred.Knick, toralf
Priority:	Normal	Flags:	stable-bot: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://bugzilla.redhat.com/show_bug.cgi?id=1431033
See Also:	https://bugs.gentoo.org/show_bug.cgi?id=598204
Whiteboard:	A2 [glsa+ cve]
Package list:	=dev-libs/libxslt-1.1.30-r2	Runtime testing required:	---
Bug Depends on:	630022, 630024
Bug Blocks:

Description Agostino Sarubbo gentoo-dev

2017-03-10 11:25:52 UTC

From ${URL} :

An integer overflow flaw was found in the libxslt component of the Chromium browser.

Upstream bug(s):

https://code.google.com/p/chromium/issues/detail?id=676623

External References:

https://chromereleases.googleblog.com/2017/03/stable-channel-update-for-desktop.html


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Yury German Gentoo Infrastructure

2017-05-17 01:15:46 UTC

Please confirm if this was fixed in Bug# 612190

Comment 2 Mike Gilbert gentoo-dev

2017-05-17 03:02:16 UTC

(In reply to Yury German from comment #1)
> Please confirm if this was fixed in Bug# 612190

Almost certainly not. There is no mention of dev-libs/libxslt in that bug report.

Comment 3 Mike Gilbert gentoo-dev

2017-05-17 03:06:33 UTC

Upstream fix is here:

https://git.gnome.org/browse/libxslt/commit/?id=08ab2774b870de1c7b5a48693df75e8154addae5

As far as I can tell, it has not been include in any versioned release yet.

Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev

2017-06-06 13:53:11 UTC

@ Maintainer(s): Please consider a rev bump to add patches for this vulnerability and bug 598204.

Comment 5 Gilles Dartiguelongue (RETIRED) gentoo-dev

2017-09-05 06:59:10 UTC

This patch made it to 1.1.30 release that I just added to the tree.

Comment 6 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-09-05 15:49:16 UTC

Thank you Gilles,

@Arches please test and mark stable,  CCing HPPA till we have a final resolution in Bug 629554.


Gentoo Security Padawan
ChrisADR

Comment 7 Pacho Ramos gentoo-dev

2017-09-05 19:02:31 UTC

Please note I have just noticed systemd stopping building with this version (#630022). It's because of this commit:
https://git.gnome.org/browse/libxslt/commit/?id=1c8e0e556289582fece6f1a59113a7a5bef46ba4

Maybe Toralf could run a *stable* tinderbox to rebuild all dev-libs/libxslt reverse deps and see if others are broken too :/ Thanks! :)

Comment 8 Toralf Förster gentoo-dev

2017-09-05 20:18:09 UTC

(In reply to Pacho Ramos from comment #7)
Sure, for dev-libs/libxslt-1.1.30 being keyworded at that stable image or for the current stable 1.1.29 ?

Comment 9 Mike Gilbert gentoo-dev

2017-09-05 20:29:32 UTC

Adding app-text/docbook-xsl-stylesheets-1.79.1-r2 for bug 630022 and 630024.

Comment 10 Aaron Bauman (RETIRED) gentoo-dev

2017-09-05 21:12:20 UTC

Removing arches until Toralf finishes his tinderbox run.

Comment 11 Mike Gilbert gentoo-dev

2017-09-05 21:17:41 UTC

(In reply to Aaron Bauman from comment #10)
> Removing arches until Toralf finishes his tinderbox run.

It would probably be useful to start over with app-text/docbook-xsl-stylesheets-1.79.1-r2 installed -- otherwise we are going to end up with a bunch of duplicates.

Comment 12 Pacho Ramos gentoo-dev

2017-09-06 09:23:43 UTC

(In reply to Toralf Förster from comment #8)
> (In reply to Pacho Ramos from comment #7)
> Sure, for dev-libs/libxslt-1.1.30 being keyworded at that stable image or
> for the current stable 1.1.29 ?

For 1.1.30 :)

Comment 13 Toralf Förster gentoo-dev

2017-09-13 13:06:57 UTC

(In reply to Pacho Ramos from comment #12)
Well, so >4,600 packages already emerged here at the run/13.0-desktop-gnome-systemd_stable_20170905-222907 image, will let it continue to run few more days, but seems fine so far.

Comment 14 Pacho Ramos gentoo-dev

2017-09-14 11:25:53 UTC

Yeah, probably most were caused by app-text/docbook-xsl-stylesheets needing to be adapted and we can go ahead :)

Thanks a lot

Comment 15 Pacho Ramos gentoo-dev

2017-12-02 09:56:37 UTC

*** Bug 639398 has been marked as a duplicate of this bug. ***

Comment 16 Sergei Trofimovich (RETIRED) gentoo-dev

2017-12-03 18:09:23 UTC

hppa stable

Comment 17 Agostino Sarubbo gentoo-dev

2017-12-04 14:41:55 UTC

amd64 stable

Comment 18 Mike Gilbert gentoo-dev

2017-12-05 16:43:59 UTC

I stabilized app-text/docbook-xsl-stylesheets-1.79.1-r2 for all arches.

Comment 19 Sergei Trofimovich (RETIRED) gentoo-dev

2017-12-06 22:53:32 UTC

sparc stable (thanks to Rolf Eike Beer)

Comment 20 Thomas Deutschmann (RETIRED) gentoo-dev

2017-12-08 20:40:18 UTC

x86 stable

Comment 21 Sergei Trofimovich (RETIRED) gentoo-dev

2017-12-09 19:38:06 UTC

ia64 stable

Comment 22 Sergei Trofimovich (RETIRED) gentoo-dev

2017-12-09 20:00:48 UTC

alpha stable

Was done as:

commit f1b3d8c2b835778d45d9645a02f0a0369a93f25e
Author: Tobias Klausmann <klausman@gentoo.org>
Date:   Mon Nov 6 21:49:24 2017 +0100

Comment 23 Markus Meier gentoo-dev

2017-12-12 18:38:07 UTC

arm stable, all arches done.

Comment 24 Mart Raudsepp gentoo-dev

2017-12-13 09:48:51 UTC

I've removed security supported arch keywords from the vulnerable version. Don't want to break arm64 stage3 building even more before I can stabilize libxslt there and clean up the ebuild. This should be sufficient for security purposes for supported arches.

Comment 25 Mart Raudsepp gentoo-dev

2018-03-02 17:07:58 UTC

cleanup fully done after stabling arm64; I don't see a glsa vote having happened here?

Comment 26 Aaron Bauman (RETIRED) gentoo-dev

2018-04-03 19:41:28 UTC

GLSA request filed.

Comment 27 GLSAMaker/CVETool Bot gentoo-dev

2018-04-04 01:52:50 UTC

This issue was resolved and addressed in
 GLSA 201804-01 at https://security.gentoo.org/glsa/201804-01
by GLSA coordinator Aaron Bauman (b-man).