libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded. https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9128cdb81b317f56cf4605404e556b8681152fe9 commit 9128cdb81b317f56cf4605404e556b8681152fe9 Author: Robin H. Johnson <robbat2@gentoo.org> AuthorDate: 2019-05-14 05:20:16 +0000 Commit: Robin H. Johnson <robbat2@gentoo.org> CommitDate: 2019-05-14 05:20:55 +0000 dev-libs/libxslt: bump with patch for CVE-2019-11068 Fixes: https://bugs.gentoo.org/684206 Package-Manager: Portage-2.3.62, Repoman-2.3.12 Signed-off-by: Robin H. Johnson <robbat2@gentoo.org> dev-libs/libxslt/Manifest | 2 + dev-libs/libxslt/libxslt-1.1.33-r1.ebuild | 125 ++++++++++++++++++++++++++++++ 2 files changed, 127 insertions(+)
security: this bump is in place now; but I notice that the src_test is broken even in the last version in the tree; I think it's a false positive from bad paths in the testsuite somehow. (this path difference on every test, same in 1.1.33). test-2.5-1 result 1c1 < compilation error: file ./test-2.5-1.xsl line 2 element stylesheet --- > compilation error: file /var/tmp/portage/dev-libs/libxslt-1.1.32/work/libxslt-1.1.32/tests/REC/test-2.5-1.xsl line 2 element stylesheet
arm64 stable
sparc stable
amd64 stable
ia64 stable
ppc stable
ppc64 stable
hppa stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1aa3e24bdbc61cdc08956e8dfed3a4232ee447db commit 1aa3e24bdbc61cdc08956e8dfed3a4232ee447db Author: Tobias Klausmann <klausman@gentoo.org> AuthorDate: 2019-06-04 07:52:22 +0000 Commit: Tobias Klausmann <klausman@gentoo.org> CommitDate: 2019-06-04 07:52:38 +0000 dev-libs/libxslt-1.1.33-r1: alpha stable Bug: http://bugs.gentoo.org/684206 Signed-off-by: Tobias Klausmann <klausman@gentoo.org> dev-libs/libxslt/libxslt-1.1.33-r1.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
s390 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
arm stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=63a57c62a64f107d7ab34da854ac7a7a218fe5a6 commit 63a57c62a64f107d7ab34da854ac7a7a218fe5a6 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2019-07-07 18:21:47 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2019-07-07 18:58:40 +0000 dev-libs/libxslt: security cleanup Bug: https://bugs.gentoo.org/684206 Package-Manager: Portage-2.3.68, Repoman-2.3.16 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> dev-libs/libxslt/Manifest | 1 - dev-libs/libxslt/libxslt-1.1.32.ebuild | 123 --------------------------------- 2 files changed, 124 deletions(-)
The Manifest for libxslt-1.1.33-r1 is out-of-date. The patch has a version number at the end of the file: 2.21.0. This results in a checksum failure. When inspecting another system where the install worked correctly, I can see that the patch has the version 2.18.1. This yields the correct checksum. It appears that upstream has updated the file without changing any naming or versioning information. Is this worth a new bug, or is this bug the proper place to report? Note that in my emerge process, the patch has disappeared completely from the default mirror that I use. http://mirror.switch.ch/ftp/mirror/gentoo/distfiles/libxslt-1.1.33.tar.gz fails with "ERROR 410: Gone" https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6.patch succeeds. In my version of the Manifest file, the checksums are as follows: DIST libxslt-1.1.33-CVE-2019-11068.patch 3965 BLAKE2B eb3a0741ac9f464e31e8edd276fec4d837c63676a56a446ad42a0e251508bacb0129cbe18783de305336eaa32b189ffc23e95e03cfd5f940d4dee376f1fa0f8c SHA512 9a97c5038809aaf64cb4eb7d67b95acc4b62236d7613a5f753e2a0f4c9e707c22cd07bda2e518d3f36a40b9ed5aa93496b743998c7adadb84ca147e045e35948 Would it be useful to attach the working and broken versions of the patch?
Created attachment 582962 [details, diff] Working version of the patch - no longer downloadable Current URL used to download via portage: https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6.patch Reference to the forum discussion: https://forums.gentoo.org/viewtopic-p-8352262.html
This appears to be a problem with the mirror I was using: GENTOO_MIRRORS="http://mirror.switch.ch/ftp/mirror/gentoo/" I've used this mirror for years on multiple systems without issue. I can perform a clean merge of libxslt-1.1.33-r1 via multiple other mirrors without issue. Pardon the misplaced noise. Perhaps an admin may want to delete these comments?