Red Hat Bugzilla – Bug 446809
CVE-2008-1767 libxslt: fixed-sized steps array overflow via "template match" condition in XSL file
Last modified: 2012-06-20 10:21:36 EDT
It was discovered that libxslt uses fixed-sized steps array during the XML
document transformation. This array may overflow during the processing of
certain XML/XSLT transformations, causing a crash of XSLT processor using
libxslt or, possibly, execute an arbitrary code.
Upstream bug report:
Fixed upstream in version 1.1.24.
This issue was reported to us by Anthony de Almeida Lopes.
Created attachment 305661 [details]
Local copy of the upstream patch
Clarification of the initial comment #0: this issue is caused by the flaw in
the handling of the "template match" condition and it occurs during the parsing
/ compilation of the crafted XSL style-sheet file. This can only be exploited
via malicious XSL file and does not depend on the content of the processed XML file.
This issue affected versions of libxslt as shipped in Red Hat Enterprise Linux
2.1, 3, 4, and 5.
Created attachment 305960 [details]
Patch for libxslt 1.1.11
Daniel Veillard's backport of the patch to libxslt 1.1.11.
Created attachment 305961 [details]
Patch for libxslt 1.0.15
Daniel Veillard's backport of the patch to libxslt 1.0.15.
This issue was addressed in:
Red Hat Enterprise Linux: