oss-sec mailing list archives
Re: CVE Request: additional fix for CVE-2012-2825 libxslt crash
From: Vincent Danen <vdanen () redhat com>
Date: Tue, 5 Nov 2013 13:24:56 -0700
* [2013-11-05 13:50:09 +0100] Marcus Meissner wrote:
Our QA found that the reproducer in CVE-2012-2825 (magic.xsl and magic.xml) also expose another libxslt crash in older libxslt versions. https://bugzilla.novell.com/show_bug.cgi?id=849019 This bug was fixed in libxslt 1.1.25 with this commit: https://gitorious.org/libxslt/libxslt/commit/7089a62b8f133b42a2981cf1f920a8b3fe9a8caa commit 7089a62b8f133b42a2981cf1f920a8b3fe9a8caa Author: Martin <gzlist () googlemail com> Date: Wed Sep 16 19:02:16 2009 +0200 Crash compiling stylesheet with DTD * libxslt/xslt.c: when a stylesheet embbeds a DTD the compilation process could get seriously wrong Crash as a xmlDtd struct is accessed as a xmlNode, not really attacker controllable I would say, but a denial of service (crash).
As you probably saw, I commented in your bug regarding this and now that I've seen this I did some further digging. The reason this doesn't crash for me on Red Hat Enterprise Linux 5 which ships 1.1.17 is because we included this patch (well, the developer did) a day after the initial build with the comment: - CVE-2012-2825 requires an extra patch on 1.1.17 So, I think this does require a second CVE. This also explains why I didn't see any crashes with our updated packages because we already have this patch. --Vincent Danen / Red Hat Security Response Team
Current thread:
- CVE Request: additional fix for CVE-2012-2825 libxslt crash Marcus Meissner (Nov 05)
- Re: CVE Request: additional fix for CVE-2012-2825 libxslt crash Vincent Danen (Nov 05)
- Re: CVE Request: additional fix for CVE-2012-2825 libxslt crash Florian Weimer (Nov 05)
- Re: CVE Request: additional fix for CVE-2012-2825 libxslt crash Marcus Meissner (Nov 05)
- Re: CVE Request: additional fix for CVE-2012-2825 libxslt crash Vincent Danen (Nov 05)
- Re: CVE Request: additional fix for CVE-2012-2825 libxslt crash Kurt Seifried (Nov 05)
- Re: CVE Request: additional fix for CVE-2012-2825 libxslt crash Florian Weimer (Nov 05)
- Re: CVE Request: additional fix for CVE-2012-2825 libxslt crash Vincent Danen (Nov 05)