Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 612194 (CVE-2017-5029) - <dev-libs/libxslt-1.1.30: integer overflow
Summary: <dev-libs/libxslt-1.1.30: integer overflow
Status: RESOLVED FIXED
Alias: CVE-2017-5029
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A2 [glsa+ cve]
Keywords:
: 639398 (view as bug list)
Depends on: 630022 630024
Blocks:
  Show dependency tree
 
Reported: 2017-03-10 11:25 UTC by Agostino Sarubbo
Modified: 2018-04-04 01:52 UTC (History)
5 users (show)

See Also:
Package list:
=dev-libs/libxslt-1.1.30-r2
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-03-10 11:25:52 UTC
From ${URL} :

An integer overflow flaw was found in the libxslt component of the Chromium browser.

Upstream bug(s):

https://code.google.com/p/chromium/issues/detail?id=676623

External References:

https://chromereleases.googleblog.com/2017/03/stable-channel-update-for-desktop.html


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev Security 2017-05-17 01:15:46 UTC
Please confirm if this was fixed in Bug# 612190
Comment 2 Mike Gilbert gentoo-dev 2017-05-17 03:02:16 UTC
(In reply to Yury German from comment #1)
> Please confirm if this was fixed in Bug# 612190

Almost certainly not. There is no mention of dev-libs/libxslt in that bug report.
Comment 3 Mike Gilbert gentoo-dev 2017-05-17 03:06:33 UTC
Upstream fix is here:

https://git.gnome.org/browse/libxslt/commit/?id=08ab2774b870de1c7b5a48693df75e8154addae5

As far as I can tell, it has not been include in any versioned release yet.
Comment 4 Thomas Deutschmann gentoo-dev Security 2017-06-06 13:53:11 UTC
@ Maintainer(s): Please consider a rev bump to add patches for this vulnerability and bug 598204.
Comment 5 Gilles Dartiguelongue gentoo-dev 2017-09-05 06:59:10 UTC
This patch made it to 1.1.30 release that I just added to the tree.
Comment 6 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-05 15:49:16 UTC
Thank you Gilles,

@Arches please test and mark stable,  CCing HPPA till we have a final resolution in Bug 629554.


Gentoo Security Padawan
ChrisADR
Comment 7 Pacho Ramos gentoo-dev 2017-09-05 19:02:31 UTC
Please note I have just noticed systemd stopping building with this version (#630022). It's because of this commit:
https://git.gnome.org/browse/libxslt/commit/?id=1c8e0e556289582fece6f1a59113a7a5bef46ba4

Maybe Toralf could run a *stable* tinderbox to rebuild all dev-libs/libxslt reverse deps and see if others are broken too :/ Thanks! :)
Comment 8 Toralf Förster gentoo-dev 2017-09-05 20:18:09 UTC
(In reply to Pacho Ramos from comment #7)
Sure, for dev-libs/libxslt-1.1.30 being keyworded at that stable image or for the current stable 1.1.29 ?
Comment 9 Mike Gilbert gentoo-dev 2017-09-05 20:29:32 UTC
Adding app-text/docbook-xsl-stylesheets-1.79.1-r2 for bug 630022 and 630024.
Comment 10 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-09-05 21:12:20 UTC
Removing arches until Toralf finishes his tinderbox run.
Comment 11 Mike Gilbert gentoo-dev 2017-09-05 21:17:41 UTC
(In reply to Aaron Bauman from comment #10)
> Removing arches until Toralf finishes his tinderbox run.

It would probably be useful to start over with app-text/docbook-xsl-stylesheets-1.79.1-r2 installed -- otherwise we are going to end up with a bunch of duplicates.
Comment 12 Pacho Ramos gentoo-dev 2017-09-06 09:23:43 UTC
(In reply to Toralf Förster from comment #8)
> (In reply to Pacho Ramos from comment #7)
> Sure, for dev-libs/libxslt-1.1.30 being keyworded at that stable image or
> for the current stable 1.1.29 ?

For 1.1.30 :)
Comment 13 Toralf Förster gentoo-dev 2017-09-13 13:06:57 UTC
(In reply to Pacho Ramos from comment #12)
Well, so >4,600 packages already emerged here at the run/13.0-desktop-gnome-systemd_stable_20170905-222907 image, will let it continue to run few more days, but seems fine so far.
Comment 14 Pacho Ramos gentoo-dev 2017-09-14 11:25:53 UTC
Yeah, probably most were caused by app-text/docbook-xsl-stylesheets needing to be adapted and we can go ahead :)

Thanks a lot
Comment 15 Pacho Ramos gentoo-dev 2017-12-02 09:56:37 UTC
*** Bug 639398 has been marked as a duplicate of this bug. ***
Comment 16 Sergei Trofimovich gentoo-dev 2017-12-03 18:09:23 UTC
hppa stable
Comment 17 Agostino Sarubbo gentoo-dev 2017-12-04 14:41:55 UTC
amd64 stable
Comment 18 Mike Gilbert gentoo-dev 2017-12-05 16:43:59 UTC
I stabilized app-text/docbook-xsl-stylesheets-1.79.1-r2 for all arches.
Comment 19 Sergei Trofimovich gentoo-dev 2017-12-06 22:53:32 UTC
sparc stable (thanks to Rolf Eike Beer)
Comment 20 Thomas Deutschmann gentoo-dev Security 2017-12-08 20:40:18 UTC
x86 stable
Comment 21 Sergei Trofimovich gentoo-dev 2017-12-09 19:38:06 UTC
ia64 stable
Comment 22 Sergei Trofimovich gentoo-dev 2017-12-09 20:00:48 UTC
alpha stable

Was done as:

commit f1b3d8c2b835778d45d9645a02f0a0369a93f25e
Author: Tobias Klausmann <klausman@gentoo.org>
Date:   Mon Nov 6 21:49:24 2017 +0100
Comment 23 Markus Meier gentoo-dev 2017-12-12 18:38:07 UTC
arm stable, all arches done.
Comment 24 Mart Raudsepp gentoo-dev 2017-12-13 09:48:51 UTC
I've removed security supported arch keywords from the vulnerable version. Don't want to break arm64 stage3 building even more before I can stabilize libxslt there and clean up the ebuild. This should be sufficient for security purposes for supported arches.
Comment 25 Mart Raudsepp gentoo-dev 2018-03-02 17:07:58 UTC
cleanup fully done after stabling arm64; I don't see a glsa vote having happened here?
Comment 26 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-04-03 19:41:28 UTC
GLSA request filed.
Comment 27 GLSAMaker/CVETool Bot gentoo-dev 2018-04-04 01:52:50 UTC
This issue was resolved and addressed in
 GLSA 201804-01 at https://security.gentoo.org/glsa/201804-01
by GLSA coordinator Aaron Bauman (b-man).