From ${URL} : An integer overflow flaw was found in the libxslt component of the Chromium browser. Upstream bug(s): https://code.google.com/p/chromium/issues/detail?id=676623 External References: https://chromereleases.googleblog.com/2017/03/stable-channel-update-for-desktop.html @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Please confirm if this was fixed in Bug# 612190
(In reply to Yury German from comment #1) > Please confirm if this was fixed in Bug# 612190 Almost certainly not. There is no mention of dev-libs/libxslt in that bug report.
Upstream fix is here: https://git.gnome.org/browse/libxslt/commit/?id=08ab2774b870de1c7b5a48693df75e8154addae5 As far as I can tell, it has not been include in any versioned release yet.
@ Maintainer(s): Please consider a rev bump to add patches for this vulnerability and bug 598204.
This patch made it to 1.1.30 release that I just added to the tree.
Thank you Gilles, @Arches please test and mark stable, CCing HPPA till we have a final resolution in Bug 629554. Gentoo Security Padawan ChrisADR
Please note I have just noticed systemd stopping building with this version (#630022). It's because of this commit: https://git.gnome.org/browse/libxslt/commit/?id=1c8e0e556289582fece6f1a59113a7a5bef46ba4 Maybe Toralf could run a *stable* tinderbox to rebuild all dev-libs/libxslt reverse deps and see if others are broken too :/ Thanks! :)
(In reply to Pacho Ramos from comment #7) Sure, for dev-libs/libxslt-1.1.30 being keyworded at that stable image or for the current stable 1.1.29 ?
Adding app-text/docbook-xsl-stylesheets-1.79.1-r2 for bug 630022 and 630024.
Removing arches until Toralf finishes his tinderbox run.
(In reply to Aaron Bauman from comment #10) > Removing arches until Toralf finishes his tinderbox run. It would probably be useful to start over with app-text/docbook-xsl-stylesheets-1.79.1-r2 installed -- otherwise we are going to end up with a bunch of duplicates.
(In reply to Toralf Förster from comment #8) > (In reply to Pacho Ramos from comment #7) > Sure, for dev-libs/libxslt-1.1.30 being keyworded at that stable image or > for the current stable 1.1.29 ? For 1.1.30 :)
(In reply to Pacho Ramos from comment #12) Well, so >4,600 packages already emerged here at the run/13.0-desktop-gnome-systemd_stable_20170905-222907 image, will let it continue to run few more days, but seems fine so far.
Yeah, probably most were caused by app-text/docbook-xsl-stylesheets needing to be adapted and we can go ahead :) Thanks a lot
*** Bug 639398 has been marked as a duplicate of this bug. ***
hppa stable
amd64 stable
I stabilized app-text/docbook-xsl-stylesheets-1.79.1-r2 for all arches.
sparc stable (thanks to Rolf Eike Beer)
x86 stable
ia64 stable
alpha stable Was done as: commit f1b3d8c2b835778d45d9645a02f0a0369a93f25e Author: Tobias Klausmann <klausman@gentoo.org> Date: Mon Nov 6 21:49:24 2017 +0100
arm stable, all arches done.
I've removed security supported arch keywords from the vulnerable version. Don't want to break arm64 stage3 building even more before I can stabilize libxslt there and clean up the ebuild. This should be sufficient for security purposes for supported arches.
cleanup fully done after stabling arm64; I don't see a glsa vote having happened here?
GLSA request filed.
This issue was resolved and addressed in GLSA 201804-01 at https://security.gentoo.org/glsa/201804-01 by GLSA coordinator Aaron Bauman (b-man).
