[MacPorts] #36499: libxslt 1.1.26: multiple CVEs
MacPorts
noreply at macports.org
Sat Oct 6 13:07:41 PDT 2012
#36499: libxslt 1.1.26: multiple CVEs
---------------------+--------------------------------
Reporter: blair@… | Owner: macports-tickets@…
Type: defect | Status: new
Priority: High | Milestone:
Component: ports | Version: 2.1.2
Keywords: | Port: libxslt
---------------------+--------------------------------
The following security issues were fixed in a recent Ubuntu 12.04 upgrade
on my system:
{{{
libxslt (1.1.26-8ubuntu1.2) precise-security; urgency=low
* SECURITY UPDATE: denial of service via out-of-bounds read
- libxslt/pattern.c: fix improper loop exit.
- fe5a4fa33eb85bce3253ed3742b1ea6c4b59b41b
- CVE-2011-3970
* SECURITY UPDATE: denial of service via out-of-bounds read
- libxslt/xsltutils.h: check for XML_ELEMENT_NODE
- e6a0bc8081271f33b9899eb78e1da1a2a0428419
- CVE-2012-2825
* SECURITY UPDATE: denial of service via crafted XSLT expression
- harden code in libexslt/functions.c, libxslt/attributes.c,
libxslt/functions.c, libxslt/pattern.c, libxslt/preproc.c,
libxslt/templates.c, libxslt/transform.c, libxslt/variables.c,
libxslt/xslt.c, libxslt/xsltutils.c.
- 8566ab4a10158d195adb5f1f61afe1ee8bfebd12
- 4da0f7e207f14a03daad4663865c285eb27f93e9
- 24653072221e76d2f1f06aa71225229b532f8946
- 1564b30e994602a95863d9716be83612580a2fed
- CVE-2012-2870
* SECURITY UPDATE: denial of service and possible code execution during
handling of XSL transforms
- libxslt/transform.c: check for XML_NAMESPACE_DECL
- 937ba2a3eb42d288f53c8adc211bd1122869f0bf
- CVE-2012-2871
* SECURITY UPDATE: denial of service and possible code execution via
double free during XSL transforms
- libxslt/templates.c: Fix dictionary string usage
- 54977ed7966847e305a2008cb18892df26eeb065
- CVE-2012-2893
}}}
I noticed that libxslt released 1.1.27 on September 12 which may fix some
of these.
Somebody needs to go through the 1.1.27 release and see which issues were
fixed and which were not and provide patches for them, or stick with
1.1.26 and use the patches that Ubuntu does.
--
Ticket URL: <https://trac.macports.org/ticket/36499>
MacPorts <http://www.macports.org/>
Ports system for Mac OS
More information about the macports-tickets
mailing list