Re: CVE Request: additional fix for CVE-2012-2825 libxslt crash

[Vincent Danen <vdanen () redhat com>]

* [2013-11-05 13:50:09 +0100] Marcus Meissner wrote:

> Our QA found that the reproducer in CVE-2012-2825 (magic.xsl and magic.xml)
> also expose another libxslt crash in older libxslt versions.
>
> https://bugzilla.novell.com/show_bug.cgi?id=849019
>
> This bug was fixed in libxslt 1.1.25 with this commit:
> https://gitorious.org/libxslt/libxslt/commit/7089a62b8f133b42a2981cf1f920a8b3fe9a8caa
>
> commit 7089a62b8f133b42a2981cf1f920a8b3fe9a8caa
> Author: Martin <gzlist () googlemail com>
> Date:   Wed Sep 16 19:02:16 2009 +0200
>
>    Crash compiling stylesheet with DTD
>
>    * libxslt/xslt.c: when a stylesheet embbeds a DTD the compilation
>      process could get seriously wrong
>
> Crash as a xmlDtd struct is accessed as a xmlNode, not really attacker controllable
> I would say, but a denial of service (crash).

As you probably saw, I commented in your bug regarding this and now that
I've seen this I did some further digging.

The reason this doesn't crash for me on Red Hat Enterprise Linux 5 which
ships 1.1.17 is because we included this patch (well, the developer did)
a day after the initial build with the comment:

- CVE-2012-2825 requires an extra patch on 1.1.17

So, I think this does require a second CVE.  This also explains why I
didn't see any crashes with our updated packages because we already have
this patch.


--
Vincent Danen / Red Hat Security Response Team