Bug 446809 - (CVE-2008-1767) CVE-2008-1767 libxslt: fixed-sized steps array overflow via "template match" condition in XSL file
CVE-2008-1767 libxslt: fixed-sized steps array overflow via "template match" ...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
source=secalert,reported=20080515,pub...
: Security
Depends On: 446886 446887 446888 446890 446891 446892 833935
Blocks:
  Show dependency treegraph
 
Reported: 2008-05-16 04:44 EDT by Tomas Hoger
Modified: 2012-06-20 10:21 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-21 04:00:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Local copy of the upstream patch (6.86 KB, patch)
2008-05-16 04:46 EDT, Tomas Hoger
no flags Details | Diff
Patch for libxslt 1.1.11 (5.14 KB, patch)
2008-05-19 11:27 EDT, Tomas Hoger
no flags Details | Diff
Patch for libxslt 1.0.15 (5.22 KB, patch)
2008-05-19 11:28 EDT, Tomas Hoger
no flags Details | Diff

  None (edit)
Description Tomas Hoger 2008-05-16 04:44:32 EDT
It was discovered that libxslt uses fixed-sized steps array during the XML
document transformation.  This array may overflow during the processing of
certain XML/XSLT transformations, causing a crash of XSLT processor using
libxslt or, possibly, execute an arbitrary code.

Upstream bug report:
http://bugzilla.gnome.org/show_bug.cgi?id=527297

Upstream patch:
http://bugzilla.gnome.org/attachment.cgi?id=109216&action=view
http://svn.gnome.org/viewvc/libxslt/trunk/libxslt/pattern.c?r1=1469&r2=1468&pathrev=1469

Fixed upstream in version 1.1.24.
Comment 1 Tomas Hoger 2008-05-16 04:45:38 EDT
This issue was reported to us by Anthony de Almeida Lopes.
Comment 2 Tomas Hoger 2008-05-16 04:46:35 EDT
Created attachment 305661 [details]
Local copy of the upstream patch
Comment 10 Tomas Hoger 2008-05-16 12:16:58 EDT
Clarification of the initial comment #0:  this issue is caused by the flaw in
the handling of the "template match" condition and it occurs during the parsing
/ compilation of the crafted XSL style-sheet file.  This can only be exploited
via malicious XSL file and does not depend on the content of the processed XML file.

This issue affected versions of libxslt as shipped in Red Hat Enterprise Linux
2.1, 3, 4, and 5. 
Comment 13 Tomas Hoger 2008-05-19 11:27:53 EDT
Created attachment 305960 [details]
Patch for libxslt 1.1.11

Daniel Veillard's backport of the patch to libxslt 1.1.11.
Comment 14 Tomas Hoger 2008-05-19 11:28:30 EDT
Created attachment 305961 [details]
Patch for libxslt 1.0.15

Daniel Veillard's backport of the patch to libxslt 1.0.15.
Comment 15 Tomas Hoger 2008-05-21 03:12:31 EDT
Lifting embargo.

Note You need to log in before you can comment on or make changes to this bug.