Bug 446809 (CVE-2008-1767)

Summary: CVE-2008-1767 libxslt: fixed-sized steps array overflow via "template match" condition in XSL file
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: kreilly, veillard
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-21 08:00:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 446886, 446887, 446888, 446890, 446891, 446892, 833935    
Bug Blocks:    
Attachments:
Description Flags
Local copy of the upstream patch
none
Patch for libxslt 1.1.11
none
Patch for libxslt 1.0.15 none

Description Tomas Hoger 2008-05-16 08:44:32 UTC 
It was discovered that libxslt uses fixed-sized steps array during the XML
document transformation.  This array may overflow during the processing of
certain XML/XSLT transformations, causing a crash of XSLT processor using
libxslt or, possibly, execute an arbitrary code.

Upstream bug report:
http://bugzilla.gnome.org/show_bug.cgi?id=527297

Upstream patch:
http://bugzilla.gnome.org/attachment.cgi?id=109216&action=view
http://svn.gnome.org/viewvc/libxslt/trunk/libxslt/pattern.c?r1=1469&r2=1468&pathrev=1469

Fixed upstream in version 1.1.24.
Comment 1 Tomas Hoger 2008-05-16 08:45:38 UTC 
This issue was reported to us by Anthony de Almeida Lopes.
Comment 2 Tomas Hoger 2008-05-16 08:46:35 UTC 
Created attachment 305661 [details]
Local copy of the upstream patch
Comment 10 Tomas Hoger 2008-05-16 16:16:58 UTC 
Clarification of the initial comment #0:  this issue is caused by the flaw in
the handling of the "template match" condition and it occurs during the parsing
/ compilation of the crafted XSL style-sheet file.  This can only be exploited
via malicious XSL file and does not depend on the content of the processed XML file.

This issue affected versions of libxslt as shipped in Red Hat Enterprise Linux
2.1, 3, 4, and 5.
Comment 13 Tomas Hoger 2008-05-19 15:27:53 UTC 
Created attachment 305960 [details]
Patch for libxslt 1.1.11

Daniel Veillard's backport of the patch to libxslt 1.1.11.
Comment 14 Tomas Hoger 2008-05-19 15:28:30 UTC 
Created attachment 305961 [details]
Patch for libxslt 1.0.15

Daniel Veillard's backport of the patch to libxslt 1.0.15.
Comment 15 Tomas Hoger 2008-05-21 07:12:31 UTC 
Lifting embargo.
Comment 16 Red Hat Product Security 2008-05-21 08:00:25 UTC 
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0287.html

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2008-4130
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-3973
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-3889