Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 232172 (CVE-2008-2935) - dev-libs/libxslt >= 1.1.8 <= 1.1.24 heap overflow (CVE-2008-2935)
Summary: dev-libs/libxslt >= 1.1.8 <= 1.1.24 heap overflow (CVE-2008-2935)
Status: RESOLVED FIXED
Alias: CVE-2008-2935
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://ocert.org/advisories/ocert-200...
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-07-18 09:36 UTC by Matthias Geerdsen (RETIRED)
Modified: 2011-10-20 04:57 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
patch for CVE-2008-2935 (exslt_crypt.patch,4.79 KB, patch)
2008-07-18 09:38 UTC, Matthias Geerdsen (RETIRED)
no flags Details | Diff
Ebuild applying patch (libxslt-1.1.24-r1.ebuild,1.96 KB, text/plain)
2008-07-18 12:42 UTC, Daniel Gryniewicz (RETIRED)
no flags Details
libxslt-1.1.24-r1.tar.gz (libxslt-1.1.24-r1.tar.gz,4.18 KB, application/octet-stream)
2008-07-18 15:31 UTC, Robert Buchholz (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Geerdsen (RETIRED) gentoo-dev 2008-07-18 09:36:40 UTC
** Please note that this issue is confidential at the moment and no information
should be disclosed until it is made public **

oCERT reports the following, crediting Chris Evans from the Google Security Team

Description:

The libexslt library bundled with libxslt is affected by a heap-based buffer
overflow which can lead to arbitrary code execution.

The vulnerability is present in the rc4 encryption/decryption functions. An
arbitrary length string, passed as an argument in the XSL input, is incorrectly
copied over a padding variable which is previously allocated with a fixed size
of 128bit (RC4_KEY_LENGTH).

Aside from the heap overflow other bugs affect the code, the length of the
plaintext string argument is used for computing the key length rather than the
actual key and the zero-padding of the key is incorrectly computed.

A simple XML file with excessively long input can be crafted for triggering the
heap overflow.

Affected version:

libxslt >= 1.18, <= 1.1.24


--------
adding eva and dang for the gnome herd, solar for infra as they might be interested in this
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2008-07-18 09:38:23 UTC
Created attachment 160702 [details, diff]
patch for CVE-2008-2935
Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2008-07-18 12:39:32 UTC
(In reply to comment #0)

> libxslt >= 1.18, <= 1.1.24
this should be >= 1.1.8, <= 1.1.24

dang/eva could you prepare an ebuild with the patch and attach it here, so arch security liaisons can test it
Comment 3 Daniel Gryniewicz (RETIRED) gentoo-dev 2008-07-18 12:42:27 UTC
Created attachment 160719 [details]
Ebuild applying patch

The patch looks correct; that said, there have to have been a lot of circumstances when it just didn't work before.  That made me curious.  As far as the sources on my box and google knows, nothing uses those functions at all.  Maybe they're used indirectly in some way I can't find?

Anyway, I'm attaching an ebuild that applies that patch (renamed to ${P}-exslt_crypt.patch) so it can be tested.
Comment 4 Matthias Geerdsen (RETIRED) gentoo-dev 2008-07-18 13:15:25 UTC
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug.
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

CC'ing current Liaisons:
   alpha : yoswink
   amd64 : welp
    hppa : jer
     ppc : dertobi123
   ppc64 : corsair
   sparc : fmccor
     x86 : opfer

----
dang, probably used indirectly by including the relevant extension (http://exslt.org/howto.html)
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-07-18 15:31:09 UTC
Created attachment 160731 [details]
libxslt-1.1.24-r1.tar.gz

If it helps anyone, here's the overlay incorporating all files.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-07-18 15:31:48 UTC
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug.
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

CC'ing current Liaisons:
   alpha : yoswink
   amd64 : welp
    hppa : jer
     ppc : dertobi123
   ppc64 : corsair
   sparc : fmccor
     x86 : opfer
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2008-07-18 16:52:00 UTC
HPPA is OK.
Comment 8 Ferris McCormick (RETIRED) gentoo-dev 2008-07-18 17:40:33 UTC
libxslt-1.1.24-r1 looks good on sparc (tests run OK).
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2008-07-18 18:45:53 UTC
Looks good on alpha/ia64/x86
Comment 10 Markus Rothe (RETIRED) gentoo-dev 2008-07-19 06:34:37 UTC
looks good on ppc64
Comment 11 Peter Weller (RETIRED) gentoo-dev 2008-07-22 23:50:02 UTC
Looks good on amd64 too :D
Comment 12 Tobias Scherbaum (RETIRED) gentoo-dev 2008-07-30 16:41:16 UTC
a bit late, but looks also good on ppc
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2008-07-30 17:03:32 UTC
GNOME team, this will go public tomorrow at 15:00 UTC (17:00 CEST), please commit after that with the stable keywords gathered in this bug.
Comment 14 Gilles Dartiguelongue gentoo-dev 2008-07-31 20:48:40 UTC
ebuild commited.
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2008-07-31 23:37:42 UTC
Arches, please test and mark stable:
=dev-libs/libxslt-1.1.24-r1
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Already stabled : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Missing keywords: "arm m68k s390 sh"
Comment 16 Tobias Heinlein (RETIRED) gentoo-dev 2008-08-07 12:59:16 UTC
GLSA 200808-06