It was discovered that libxslt uses fixed-sized steps array during the XML document transformation. This array may overflow during the processing of certain XML/XSLT transformations, causing a crash of XSLT processor using libxslt or, possibly, execute an arbitrary code. Upstream bug report: http://bugzilla.gnome.org/show_bug.cgi?id=527297 Upstream patch: http://bugzilla.gnome.org/attachment.cgi?id=109216&action=view http://svn.gnome.org/viewvc/libxslt/trunk/libxslt/pattern.c?r1=1469&r2=1468&pathrev=1469 Fixed upstream in version 1.1.24.
This issue was reported to us by Anthony de Almeida Lopes.
Created attachment 305661 [details] Local copy of the upstream patch
Clarification of the initial comment #0: this issue is caused by the flaw in the handling of the "template match" condition and it occurs during the parsing / compilation of the crafted XSL style-sheet file. This can only be exploited via malicious XSL file and does not depend on the content of the processed XML file. This issue affected versions of libxslt as shipped in Red Hat Enterprise Linux 2.1, 3, 4, and 5.
Created attachment 305960 [details] Patch for libxslt 1.1.11 Daniel Veillard's backport of the patch to libxslt 1.1.11.
Created attachment 305961 [details] Patch for libxslt 1.0.15 Daniel Veillard's backport of the patch to libxslt 1.0.15.
Lifting embargo.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0287.html Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2008-4130 https://admin.fedoraproject.org/updates/F8/FEDORA-2008-3973 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-3889