Debian Bug report logs - #482664
CVE-2008-1767: buffver overflow in pattern.c

version graph

Package: libxslt1.1; Maintainer for libxslt1.1 is Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>; Source for libxslt1.1 is src:libxslt.

Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>

Date: Sat, 24 May 2008 10:21:02 UTC

Severity: grave

Tags: patch, security

Found in version libxslt/1.1.23-1

Fixed in version libxslt/1.1.24-1

Done: Mike Hommey <glandium@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#482664; Package libxslt1.1. Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2008-1767: buffver overflow in pattern.c
Date: Sat, 24 May 2008 20:16:05 +1000
[Message part 1 (text/plain, inline)]
Package: libxslt1.1
Version: 1.1.23-1
Severity: grave
Tags: security, patch
Justification: user security hole

Hi

The following CVE(0) has been issued against libxslt.

CVE-2008-1767:

Buffer overflow in pattern.c in libxslt before 1.1.24 allows
context-dependent attackers to cause a denial of service (crash) and
possibly execute arbitrary code via an XSL style sheet file with a long
XSLT "transformation match" condition that triggers a large number of
steps.

Upstream patch is attached.

Please mention the CVE id in your changelog, when you fix this bug.

Cheers
Steffen

(0): http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1767
[patch (text/x-c, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#482664; Package libxslt1.1. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #10 received at 482664@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 482664@bugs.debian.org
Subject: Re: [Secure-testing-team] Bug#482664: CVE-2008-1767: buffver overflow in pattern.c
Date: Sat, 24 May 2008 14:09:19 +0200
[Message part 1 (text/plain, inline)]
On Saturday 24 May 2008 12:16, Steffen Joeris wrote:
> Upstream patch is attached.

More patches from RH:
https://bugzilla.redhat.com/show_bug.cgi?id=446809#c13



Thijs
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#482664; Package libxslt1.1. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #15 received at 482664@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: Thijs Kinkhorst <thijs@debian.org>, 482664@bugs.debian.org
Subject: Re: Bug#482664: [Secure-testing-team] Bug#482664: CVE-2008-1767: buffver overflow in pattern.c
Date: Sat, 24 May 2008 16:01:46 +0200
[Message part 1 (text/plain, inline)]
Hi Thijs,
* Thijs Kinkhorst <thijs@debian.org> [2008-05-24 14:25]:
> On Saturday 24 May 2008 12:16, Steffen Joeris wrote:
> > Upstream patch is attached.
> 
> More patches from RH:
> https://bugzilla.redhat.com/show_bug.cgi?id=446809#c13

Its the same.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#482664; Package libxslt1.1. Full text and rfc822 format available.

Acknowledgement sent to Mike Hommey <mh@glandium.org>:
Extra info received and forwarded to list. Copy sent to Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #20 received at 482664@bugs.debian.org (full text, mbox):

From: Mike Hommey <mh@glandium.org>
To: Steffen Joeris <steffen.joeris@skolelinux.de>, 482664@bugs.debian.org
Subject: Re: [xml/sgml-pkgs] Bug#482664: CVE-2008-1767: buffver overflow in pattern.c
Date: Sat, 24 May 2008 17:01:52 +0200
On Sat, May 24, 2008 at 08:16:05PM +1000, Steffen Joeris wrote:
> Package: libxslt1.1
> Version: 1.1.23-1
> Severity: grave
> Tags: security, patch
> Justification: user security hole
> 
> Hi
> 
> The following CVE(0) has been issued against libxslt.
> 
> CVE-2008-1767:
> 
> Buffer overflow in pattern.c in libxslt before 1.1.24 allows
> context-dependent attackers to cause a denial of service (crash) and
> possibly execute arbitrary code via an XSL style sheet file with a long
> XSLT "transformation match" condition that triggers a large number of
> steps.
> 
> Upstream patch is attached.
> 
> Please mention the CVE id in your changelog, when you fix this bug.

I haven't had time to take a deep look at the issue. Anyways, uploading
1.1.24 in unstable (which was planned) should fix this. Is an update
for stable required ? Or is the security team already working on it?

Mike




Information forwarded to debian-bugs-dist@lists.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#482664; Package libxslt1.1. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #25 received at 482664@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: Mike Hommey <mh@glandium.org>
Cc: security@debian.org, 482664@bugs.debian.org
Subject: Re: [xml/sgml-pkgs] Bug#482664: CVE-2008-1767: buffver overflow in pattern.c
Date: Sat, 24 May 2008 17:14:03 +0200
[Message part 1 (text/plain, inline)]
On Saturday 24 May 2008 17:01, Mike Hommey wrote:
> I haven't had time to take a deep look at the issue. Anyways, uploading
> 1.1.24 in unstable (which was planned) should fix this. Is an update
> for stable required ? Or is the security team already working on it?

At the moment no-one from the stable security team is working on it. If you're 
in the position to create a stable update we'd welcome it. Ticket 688 in RT 
deals with this issue.


thanks,

Thijs
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#482664; Package libxslt1.1. Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #30 received at 482664@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: Mike Hommey <mh@glandium.org>
Cc: 482664@bugs.debian.org, team@security.debian.org
Subject: Re: [xml/sgml-pkgs] Bug#482664: CVE-2008-1767: buffver overflow in pattern.c
Date: Sun, 25 May 2008 01:16:26 +1000
[Message part 1 (text/plain, inline)]
Hi Mike

On Sun, 25 May 2008 01:01:52 am Mike Hommey wrote:
> On Sat, May 24, 2008 at 08:16:05PM +1000, Steffen Joeris wrote:
> > Package: libxslt1.1
> > Version: 1.1.23-1
> > Severity: grave
> > Tags: security, patch
> > Justification: user security hole
> >
> > Hi
> >
> > The following CVE(0) has been issued against libxslt.
> >
> > CVE-2008-1767:
> >
> > Buffer overflow in pattern.c in libxslt before 1.1.24 allows
> > context-dependent attackers to cause a denial of service (crash) and
> > possibly execute arbitrary code via an XSL style sheet file with a long
> > XSLT "transformation match" condition that triggers a large number of
> > steps.
> >
> > Upstream patch is attached.
> >
> > Please mention the CVE id in your changelog, when you fix this bug.
>
> I haven't had time to take a deep look at the issue. Anyways, uploading
> 1.1.24 in unstable (which was planned) should fix this. Is an update
> for stable required ? Or is the security team already working on it?
Thanks for your efforts.
Depending on how stable the new upstream release is, maybe it could be 
uploaded with a higher urgency. For the testing-security team, it would be 
great to get that bug fixed in testing.

cc'ing the stable-security team for reaching a decision on stable.

Cheers
Steffen


[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#482664; Package libxslt1.1. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #35 received at 482664@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: Nico Golde <nion@debian.org>
Cc: 482664@bugs.debian.org
Subject: Re: Bug#482664: [Secure-testing-team] Bug#482664: CVE-2008-1767: buffver overflow in pattern.c
Date: Sat, 24 May 2008 17:17:48 +0200
On Saturday 24 May 2008 16:01, Nico Golde wrote:
> > More patches from RH:
> > https://bugzilla.redhat.com/show_bug.cgi?id=446809#c13
>
> Its the same.

Ah ok, didn't have time to check before I left :-)


Thijs




Information forwarded to debian-bugs-dist@lists.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#482664; Package libxslt1.1. Full text and rfc822 format available.

Acknowledgement sent to Mike Hommey <mh@glandium.org>:
Extra info received and forwarded to list. Copy sent to Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #40 received at 482664@bugs.debian.org (full text, mbox):

From: Mike Hommey <mh@glandium.org>
To: Steffen Joeris <steffen.joeris@skolelinux.de>
Cc: 482664@bugs.debian.org
Subject: Re: [xml/sgml-pkgs] Bug#482664: CVE-2008-1767: buffver overflow in pattern.c
Date: Sat, 24 May 2008 17:36:49 +0200
On Sun, May 25, 2008 at 01:16:26AM +1000, Steffen Joeris wrote:
> Hi Mike
> 
> On Sun, 25 May 2008 01:01:52 am Mike Hommey wrote:
> > On Sat, May 24, 2008 at 08:16:05PM +1000, Steffen Joeris wrote:
> > > Package: libxslt1.1
> > > Version: 1.1.23-1
> > > Severity: grave
> > > Tags: security, patch
> > > Justification: user security hole
> > >
> > > Hi
> > >
> > > The following CVE(0) has been issued against libxslt.
> > >
> > > CVE-2008-1767:
> > >
> > > Buffer overflow in pattern.c in libxslt before 1.1.24 allows
> > > context-dependent attackers to cause a denial of service (crash) and
> > > possibly execute arbitrary code via an XSL style sheet file with a long
> > > XSLT "transformation match" condition that triggers a large number of
> > > steps.
> > >
> > > Upstream patch is attached.
> > >
> > > Please mention the CVE id in your changelog, when you fix this bug.
> >
> > I haven't had time to take a deep look at the issue. Anyways, uploading
> > 1.1.24 in unstable (which was planned) should fix this. Is an update
> > for stable required ? Or is the security team already working on it?
> Thanks for your efforts.
> Depending on how stable the new upstream release is, maybe it could be 
> uploaded with a higher urgency. For the testing-security team, it would be 
> great to get that bug fixed in testing.

Actually, the new release is much better than the version currently in
testing, which has a broken support for xslt keys.

Mike




Information forwarded to debian-bugs-dist@lists.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#482664; Package libxslt1.1. Full text and rfc822 format available.

Acknowledgement sent to Mike Hommey <mh@glandium.org>:
Extra info received and forwarded to list. Copy sent to Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #45 received at 482664@bugs.debian.org (full text, mbox):

From: Mike Hommey <mh@glandium.org>
To: Steffen Joeris <steffen.joeris@skolelinux.de>, 482664@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: [xml/sgml-pkgs] Bug#482664: Bug#482664: CVE-2008-1767: buffver overflow in pattern.c
Date: Sun, 25 May 2008 17:03:35 +0200
On Sun, May 25, 2008 at 01:16:26AM +1000, Steffen Joeris wrote:
> > I haven't had time to take a deep look at the issue. Anyways, uploading
> > 1.1.24 in unstable (which was planned) should fix this. Is an update
> > for stable required ? Or is the security team already working on it?
> Thanks for your efforts.
> Depending on how stable the new upstream release is, maybe it could be 
> uploaded with a higher urgency. For the testing-security team, it would be 
> great to get that bug fixed in testing.
> 
> cc'ing the stable-security team for reaching a decision on stable.

I uploaded 1.1.24-1 fixing this issue to unstable, at urgency: high.
I also prepared a 1.1.19-1etch1 release targetted at stable-security.
Shall I proceed uploading it to security-master ?

Mike




Reply sent to Mike Hommey <glandium@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #50 received at 482664-close@bugs.debian.org (full text, mbox):

From: Mike Hommey <glandium@debian.org>
To: 482664-close@bugs.debian.org
Subject: Bug#482664: fixed in libxslt 1.1.24-1
Date: Sun, 25 May 2008 15:02:03 +0000
Source: libxslt
Source-Version: 1.1.24-1

We believe that the bug you reported is fixed in the latest version of
libxslt, which is due to be installed in the Debian FTP archive:

libxslt1-dbg_1.1.24-1_amd64.deb
  to pool/main/libx/libxslt/libxslt1-dbg_1.1.24-1_amd64.deb
libxslt1-dev_1.1.24-1_amd64.deb
  to pool/main/libx/libxslt/libxslt1-dev_1.1.24-1_amd64.deb
libxslt1.1_1.1.24-1_amd64.deb
  to pool/main/libx/libxslt/libxslt1.1_1.1.24-1_amd64.deb
libxslt_1.1.24-1.diff.gz
  to pool/main/libx/libxslt/libxslt_1.1.24-1.diff.gz
libxslt_1.1.24-1.dsc
  to pool/main/libx/libxslt/libxslt_1.1.24-1.dsc
libxslt_1.1.24.orig.tar.gz
  to pool/main/libx/libxslt/libxslt_1.1.24.orig.tar.gz
python-libxslt1_1.1.24-1_amd64.deb
  to pool/main/libx/libxslt/python-libxslt1_1.1.24-1_amd64.deb
xsltproc_1.1.24-1_amd64.deb
  to pool/main/libx/libxslt/xsltproc_1.1.24-1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 482664@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mike Hommey <glandium@debian.org> (supplier of updated libxslt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 25 May 2008 16:24:29 +0200
Source: libxslt
Binary: libxslt1.1 libxslt1-dev libxslt1-dbg xsltproc python-libxslt1
Architecture: source amd64
Version: 1.1.24-1
Distribution: unstable
Urgency: high
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Mike Hommey <glandium@debian.org>
Description: 
 libxslt1-dbg - XSLT processing library - debugging symbols
 libxslt1-dev - XSLT processing library - development kit
 libxslt1.1 - XSLT processing library - runtime library
 python-libxslt1 - Python bindings for libxslt1
 xsltproc   - XSLT command line processor
Closes: 482664
Changes: 
 libxslt (1.1.24-1) unstable; urgency=high
 .
   * New upstream release.
   * Fix for CVE-2008-1767: buffer overflow in pattern.c. Closes: #482664.
Checksums-Sha1: 
 1bc022fecc4a9cb4ba8e400899e7aa02f21a4203 1232 libxslt_1.1.24-1.dsc
 b5402e24abff5545ed76f6a55049cbebc664bd58 3363961 libxslt_1.1.24.orig.tar.gz
 ed0e53c5d422da1143057b775fc8255b386f97cc 74960 libxslt_1.1.24-1.diff.gz
 771b678874355e68b9ea107e3e331e5b814d45a2 232402 libxslt1.1_1.1.24-1_amd64.deb
 a83630de1171837be05d6ed622ec0d36f3a165f4 640250 libxslt1-dev_1.1.24-1_amd64.deb
 b1fdc98366ec4ebf781b2ee510d57086c8158250 360768 libxslt1-dbg_1.1.24-1_amd64.deb
 fbe797de7c52cd6627ea9171b4d98c536092e8ef 111452 xsltproc_1.1.24-1_amd64.deb
 0059976bc2e8c7ccbe5de91dc557374153727964 164390 python-libxslt1_1.1.24-1_amd64.deb
Checksums-Sha256: 
 4b9e62f047e7d001524725f1d056eb77511626f8acf4a34ccecc57903103ac1a 1232 libxslt_1.1.24-1.dsc
 c0c10944841e9a79f29d409c6f8da0d1b1af0403eb3819c82c788dfa6a180b3e 3363961 libxslt_1.1.24.orig.tar.gz
 db7bcdaafa7e73f559d2f66bab644a55a33164f5301608229548bb1ab264b6dd 74960 libxslt_1.1.24-1.diff.gz
 d27deb589c6aca021a10b28e4236d2546d96f702cb590f0fc4bc92700975d672 232402 libxslt1.1_1.1.24-1_amd64.deb
 86840593949bd41fa63eaee202e42e5fb2ef55b609455e04e71f8544483ddd0e 640250 libxslt1-dev_1.1.24-1_amd64.deb
 426c58d3535a2e83a3283395eeb56b0997984ba029b7fbf33789c27cd09dfd1b 360768 libxslt1-dbg_1.1.24-1_amd64.deb
 05d4acd906de605b7d88e2bf5a87df74cdb31b227964c2834f8742d1882b2be4 111452 xsltproc_1.1.24-1_amd64.deb
 a7a5e900bbd3ce0cfa5cf3fb9cb1b48534c455c55380673c5129819be454fb60 164390 python-libxslt1_1.1.24-1_amd64.deb
Files: 
 15e44361356cdc0dd2fa95978e574683 1232 text optional libxslt_1.1.24-1.dsc
 e83ec5d27fc4c10c6f612879bea9a153 3363961 text optional libxslt_1.1.24.orig.tar.gz
 c657ba3c68f06d278bdf3ba5fb635af7 74960 text optional libxslt_1.1.24-1.diff.gz
 452aa1b955057b48a7350e1de45c719b 232402 libs optional libxslt1.1_1.1.24-1_amd64.deb
 6d58969475a2af5873f54a50c2ee970b 640250 libdevel optional libxslt1-dev_1.1.24-1_amd64.deb
 23cd697fecae779ad0332587f2751b60 360768 libdevel extra libxslt1-dbg_1.1.24-1_amd64.deb
 a82f2573904c8c0ff3902bb5431d9165 111452 text optional xsltproc_1.1.24-1_amd64.deb
 530baa10725efb7ce16bb1507667f21f 164390 python optional python-libxslt1_1.1.24-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIOXxD3kvaLFT9KlgRAsBZAJ9fHLXoNpE1gyI5nK8ZFtOOFr8e0wCdGmxV
OJ0CCJuC2e/qH93+dc/KSS0=
=dknn
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 26 Jun 2008 07:36:56 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 19:25:30 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.