On Sat, May 24, 2008 at 08:16:05PM +1000, Steffen Joeris wrote: > Package: libxslt1.1 > Version: 1.1.23-1 > Severity: grave > Tags: security, patch > Justification: user security hole > > Hi > > The following CVE(0) has been issued against libxslt. > > CVE-2008-1767: > > Buffer overflow in pattern.c in libxslt before 1.1.24 allows > context-dependent attackers to cause a denial of service (crash) and > possibly execute arbitrary code via an XSL style sheet file with a long > XSLT "transformation match" condition that triggers a large number of > steps. > > Upstream patch is attached. > > Please mention the CVE id in your changelog, when you fix this bug.
I haven't had time to take a deep look at the issue. Anyways, uploading 1.1.24 in unstable (which was planned) should fix this. Is an update for stable required ? Or is the security team already working on it? Mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
