[MacPorts] #36499: libxslt 1.1.26: multiple CVEs

MacPorts noreply at macports.org
Sat Oct 6 13:07:41 PDT 2012 

#36499: libxslt 1.1.26: multiple CVEs
---------------------+--------------------------------
 Reporter:  blair@…  |      Owner:  macports-tickets@…
     Type:  defect   |     Status:  new
 Priority:  High     |  Milestone:
Component:  ports    |    Version:  2.1.2
 Keywords:           |       Port:  libxslt
---------------------+--------------------------------
 The following security issues were fixed in a recent Ubuntu 12.04 upgrade
 on my system:

 {{{
 libxslt (1.1.26-8ubuntu1.2) precise-security; urgency=low

   * SECURITY UPDATE: denial of service via out-of-bounds read
     - libxslt/pattern.c: fix improper loop exit.
     - fe5a4fa33eb85bce3253ed3742b1ea6c4b59b41b
     - CVE-2011-3970
   * SECURITY UPDATE: denial of service via out-of-bounds read
     - libxslt/xsltutils.h: check for XML_ELEMENT_NODE
     - e6a0bc8081271f33b9899eb78e1da1a2a0428419
     - CVE-2012-2825
   * SECURITY UPDATE: denial of service via crafted XSLT expression
     - harden code in libexslt/functions.c, libxslt/attributes.c,
       libxslt/functions.c, libxslt/pattern.c, libxslt/preproc.c,
       libxslt/templates.c, libxslt/transform.c, libxslt/variables.c,
       libxslt/xslt.c, libxslt/xsltutils.c.
     - 8566ab4a10158d195adb5f1f61afe1ee8bfebd12
     - 4da0f7e207f14a03daad4663865c285eb27f93e9
     - 24653072221e76d2f1f06aa71225229b532f8946
     - 1564b30e994602a95863d9716be83612580a2fed
     - CVE-2012-2870
   * SECURITY UPDATE: denial of service and possible code execution during
     handling of XSL transforms
     - libxslt/transform.c: check for XML_NAMESPACE_DECL
     - 937ba2a3eb42d288f53c8adc211bd1122869f0bf
     - CVE-2012-2871
   * SECURITY UPDATE: denial of service and possible code execution via
     double free during XSL transforms
     - libxslt/templates.c: Fix dictionary string usage
     - 54977ed7966847e305a2008cb18892df26eeb065
     - CVE-2012-2893
 }}}

 I noticed that libxslt released 1.1.27 on September 12 which may fix some
 of these.

 Somebody needs to go through the 1.1.27 release and see which issues were
 fixed and which were not and provide patches for them, or stick with
 1.1.26 and use the patches that Ubuntu does.

-- 
Ticket URL: <https://trac.macports.org/ticket/36499>
MacPorts <http://www.macports.org/>
Ports system for Mac OS

More information about the macports-tickets mailing list