** Please note that this issue is confidential at the moment and no information should be disclosed until it is made public ** oCERT reports the following, crediting Chris Evans from the Google Security Team Description: The libexslt library bundled with libxslt is affected by a heap-based buffer overflow which can lead to arbitrary code execution. The vulnerability is present in the rc4 encryption/decryption functions. An arbitrary length string, passed as an argument in the XSL input, is incorrectly copied over a padding variable which is previously allocated with a fixed size of 128bit (RC4_KEY_LENGTH). Aside from the heap overflow other bugs affect the code, the length of the plaintext string argument is used for computing the key length rather than the actual key and the zero-padding of the key is incorrectly computed. A simple XML file with excessively long input can be crafted for triggering the heap overflow. Affected version: libxslt >= 1.18, <= 1.1.24 -------- adding eva and dang for the gnome herd, solar for infra as they might be interested in this
Created attachment 160702 [details, diff] patch for CVE-2008-2935
(In reply to comment #0) > libxslt >= 1.18, <= 1.1.24 this should be >= 1.1.8, <= 1.1.24 dang/eva could you prepare an ebuild with the patch and attach it here, so arch security liaisons can test it
Created attachment 160719 [details] Ebuild applying patch The patch looks correct; that said, there have to have been a lot of circumstances when it just didn't work before. That made me curious. As far as the sources on my box and google knows, nothing uses those functions at all. Maybe they're used indirectly in some way I can't find? Anyway, I'm attaching an ebuild that applies that patch (renamed to ${P}-exslt_crypt.patch) so it can be tested.
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug. Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" CC'ing current Liaisons: alpha : yoswink amd64 : welp hppa : jer ppc : dertobi123 ppc64 : corsair sparc : fmccor x86 : opfer ---- dang, probably used indirectly by including the relevant extension (http://exslt.org/howto.html)
Created attachment 160731 [details] libxslt-1.1.24-r1.tar.gz If it helps anyone, here's the overlay incorporating all files.
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug. Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" CC'ing current Liaisons: alpha : yoswink amd64 : welp hppa : jer ppc : dertobi123 ppc64 : corsair sparc : fmccor x86 : opfer
HPPA is OK.
libxslt-1.1.24-r1 looks good on sparc (tests run OK).
Looks good on alpha/ia64/x86
looks good on ppc64
Looks good on amd64 too :D
a bit late, but looks also good on ppc
GNOME team, this will go public tomorrow at 15:00 UTC (17:00 CEST), please commit after that with the stable keywords gathered in this bug.
ebuild commited.
Arches, please test and mark stable: =dev-libs/libxslt-1.1.24-r1 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" Already stabled : "alpha amd64 hppa ia64 ppc ppc64 sparc x86" Missing keywords: "arm m68k s390 sh"
GLSA 200808-06