Your message dated Sun, 25 May 2008 15:02:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#482664: fixed in libxslt 1.1.24-1
has caused the Debian Bug report #482664,
regarding CVE-2008-1767: buffver overflow in pattern.c
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
482664: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=482664
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: libxslt1.1
Version: 1.1.23-1
Severity: grave
Tags: security, patch
Justification: user security hole
Hi
The following CVE(0) has been issued against libxslt.
CVE-2008-1767:
Buffer overflow in pattern.c in libxslt before 1.1.24 allows
context-dependent attackers to cause a denial of service (crash) and
possibly execute arbitrary code via an XSL style sheet file with a long
XSLT "transformation match" condition that triggers a large number of
steps.
Upstream patch is attached.
Please mention the CVE id in your changelog, when you fix this bug.
Cheers
Steffen
(0): http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1767
Index: libxslt/pattern.c
===================================================================
--- libxslt/pattern.c (revision 1465)
+++ libxslt-1.1.23/libxslt/pattern.c (working copy)
@@ -106,7 +106,7 @@ struct _xsltCompMatch {
int maxStep;
xmlNsPtr *nsList; /* the namespaces in scope */
int nsNr; /* the number of namespaces in scope */
- xsltStepOp steps[40]; /* ops for computation */
+ xsltStepOpPtr steps; /* ops for computation */
};
typedef struct _xsltParserContext xsltParserContext;
@@ -146,7 +146,16 @@ xsltNewCompMatch(void) {
return(NULL);
}
memset(cur, 0, sizeof(xsltCompMatch));
- cur->maxStep = 40;
+ cur->maxStep = 10;
+ cur->nbStep = 0;
+ cur-> steps = (xsltStepOpPtr) xmlMalloc(sizeof(xsltStepOp) *
+ cur->maxStep);
+ if (cur->steps == NULL) {
+ xsltTransformError(NULL, NULL, NULL,
+ "xsltNewCompMatch : out of memory error\n");
+ xmlFree(cur);
+ return(NULL);
+ }
cur->nsNr = 0;
cur->nsList = NULL;
cur->direct = 0;
@@ -181,6 +190,7 @@ xsltFreeCompMatch(xsltCompMatchPtr comp)
if (op->comp != NULL)
xmlXPathFreeCompExpr(op->comp);
}
+ xmlFree(comp->steps);
memset(comp, -1, sizeof(xsltCompMatch));
xmlFree(comp);
}
@@ -279,14 +289,26 @@ static int
xsltCompMatchAdd(xsltParserContextPtr ctxt, xsltCompMatchPtr comp,
xsltOp op, xmlChar * value, xmlChar * value2, int novar)
{
- if (comp->nbStep >= 40) {
- xsltTransformError(NULL, NULL, NULL,
- "xsltCompMatchAdd: overflow\n");
- return (-1);
+ if (comp->nbStep >= comp->maxStep) {
+ xsltStepOpPtr tmp;
+
+ tmp = (xsltStepOpPtr) xmlRealloc(comp->steps, comp->maxStep * 2 *
+ sizeof(xsltStepOp));
+ if (tmp == NULL) {
+ xsltGenericError(xsltGenericErrorContext,
+ "xsltCompMatchAdd: memory re-allocation failure.\n");
+ if (ctxt->style != NULL)
+ ctxt->style->errors++;
+ return (-1);
+ }
+ comp->maxStep *= 2;
+ comp->steps = tmp;
}
comp->steps[comp->nbStep].op = op;
comp->steps[comp->nbStep].value = value;
comp->steps[comp->nbStep].value2 = value2;
+ comp->steps[comp->nbStep].value3 = NULL;
+ comp->steps[comp->nbStep].comp = NULL;
if (ctxt->ctxt != NULL) {
comp->steps[comp->nbStep].previousExtra =
xsltAllocateExtraCtxt(ctxt->ctxt);
@@ -343,6 +365,7 @@ xsltSwapTopCompMatch(xsltCompMatchPtr co
register xmlChar *tmp;
register xsltOp op;
register xmlXPathCompExprPtr expr;
+ register int t;
i = j - 1;
tmp = comp->steps[i].value;
comp->steps[i].value = comp->steps[j].value;
@@ -350,46 +373,74 @@ xsltSwapTopCompMatch(xsltCompMatchPtr co
tmp = comp->steps[i].value2;
comp->steps[i].value2 = comp->steps[j].value2;
comp->steps[j].value2 = tmp;
+ tmp = comp->steps[i].value3;
+ comp->steps[i].value3 = comp->steps[j].value3;
+ comp->steps[j].value3 = tmp;
op = comp->steps[i].op;
comp->steps[i].op = comp->steps[j].op;
comp->steps[j].op = op;
expr = comp->steps[i].comp;
comp->steps[i].comp = comp->steps[j].comp;
comp->steps[j].comp = expr;
+ t = comp->steps[i].previousExtra;
+ comp->steps[i].previousExtra = comp->steps[j].previousExtra;
+ comp->steps[j].previousExtra = t;
+ t = comp->steps[i].indexExtra;
+ comp->steps[i].indexExtra = comp->steps[j].indexExtra;
+ comp->steps[j].indexExtra = t;
+ t = comp->steps[i].lenExtra;
+ comp->steps[i].lenExtra = comp->steps[j].lenExtra;
+ comp->steps[j].lenExtra = t;
}
}
/**
* xsltReverseCompMatch:
+ * @ctxt: the parser context
* @comp: the compiled match expression
*
* reverse all the stack of expressions
*/
static void
-xsltReverseCompMatch(xsltCompMatchPtr comp) {
+xsltReverseCompMatch(xsltParserContextPtr ctxt, xsltCompMatchPtr comp) {
int i = 0;
int j = comp->nbStep - 1;
while (j > i) {
register xmlChar *tmp;
register xsltOp op;
- register xmlXPathCompExprPtr expr;
+ register xmlXPathCompExprPtr expr;
+ register int t;
+
tmp = comp->steps[i].value;
comp->steps[i].value = comp->steps[j].value;
comp->steps[j].value = tmp;
tmp = comp->steps[i].value2;
comp->steps[i].value2 = comp->steps[j].value2;
comp->steps[j].value2 = tmp;
+ tmp = comp->steps[i].value3;
+ comp->steps[i].value3 = comp->steps[j].value3;
+ comp->steps[j].value3 = tmp;
op = comp->steps[i].op;
comp->steps[i].op = comp->steps[j].op;
comp->steps[j].op = op;
expr = comp->steps[i].comp;
comp->steps[i].comp = comp->steps[j].comp;
comp->steps[j].comp = expr;
+ t = comp->steps[i].previousExtra;
+ comp->steps[i].previousExtra = comp->steps[j].previousExtra;
+ comp->steps[j].previousExtra = t;
+ t = comp->steps[i].indexExtra;
+ comp->steps[i].indexExtra = comp->steps[j].indexExtra;
+ comp->steps[j].indexExtra = t;
+ t = comp->steps[i].lenExtra;
+ comp->steps[i].lenExtra = comp->steps[j].lenExtra;
+ comp->steps[j].lenExtra = t;
j--;
i++;
}
- comp->steps[comp->nbStep++].op = XSLT_OP_END;
+ xsltCompMatchAdd(ctxt, comp, XSLT_OP_END, NULL, NULL, 0);
+
/*
* detect consecutive XSLT_OP_PREDICATE indicating a direct
* matching should be done.
@@ -420,7 +471,8 @@ xsltReverseCompMatch(xsltCompMatchPtr co
************************************************************************/
static int
-xsltPatPushState(xsltStepStates *states, int step, xmlNodePtr node) {
+xsltPatPushState(xsltTransformContextPtr ctxt, xsltStepStates *states,
+ int step, xmlNodePtr node) {
if ((states->states == NULL) || (states->maxstates <= 0)) {
states->maxstates = 4;
states->nbstates = 0;
@@ -431,8 +483,12 @@ xsltPatPushState(xsltStepStates *states,
tmp = (xsltStepStatePtr) xmlRealloc(states->states,
2 * states->maxstates * sizeof(xsltStepState));
- if (tmp == NULL)
+ if (tmp == NULL) {
+ xsltGenericError(xsltGenericErrorContext,
+ "xsltPatPushState: memory re-allocation failure.\n");
+ ctxt->state = XSLT_STATE_STOPPED;
return(-1);
+ }
states->states = tmp;
states->maxstates *= 2;
}
@@ -738,12 +794,12 @@ restart:
goto rollback;
node = node->parent;
if ((step->op != XSLT_OP_ELEM) && step->op != XSLT_OP_ALL) {
- xsltPatPushState(&states, i, node);
+ xsltPatPushState(ctxt, &states, i, node);
continue;
}
i++;
if (step->value == NULL) {
- xsltPatPushState(&states, i - 1, node);
+ xsltPatPushState(ctxt, &states, i - 1, node);
continue;
}
while (node != NULL) {
@@ -764,7 +820,7 @@ restart:
}
if (node == NULL)
goto rollback;
- xsltPatPushState(&states, i - 1, node);
+ xsltPatPushState(ctxt, &states, i - 1, node);
continue;
case XSLT_OP_ID: {
/* TODO Handle IDs decently, must be done differently */
@@ -1971,7 +2027,7 @@ xsltCompilePatternInternal(const xmlChar
/*
* Reverse for faster interpretation.
*/
- xsltReverseCompMatch(element);
+ xsltReverseCompMatch(ctxt, element);
/*
* Set-up the priority
--- End Message ---
--- Begin Message ---
Source: libxslt
Source-Version: 1.1.24-1
We believe that the bug you reported is fixed in the latest version of
libxslt, which is due to be installed in the Debian FTP archive:
libxslt1-dbg_1.1.24-1_amd64.deb
to pool/main/libx/libxslt/libxslt1-dbg_1.1.24-1_amd64.deb
libxslt1-dev_1.1.24-1_amd64.deb
to pool/main/libx/libxslt/libxslt1-dev_1.1.24-1_amd64.deb
libxslt1.1_1.1.24-1_amd64.deb
to pool/main/libx/libxslt/libxslt1.1_1.1.24-1_amd64.deb
libxslt_1.1.24-1.diff.gz
to pool/main/libx/libxslt/libxslt_1.1.24-1.diff.gz
libxslt_1.1.24-1.dsc
to pool/main/libx/libxslt/libxslt_1.1.24-1.dsc
libxslt_1.1.24.orig.tar.gz
to pool/main/libx/libxslt/libxslt_1.1.24.orig.tar.gz
python-libxslt1_1.1.24-1_amd64.deb
to pool/main/libx/libxslt/python-libxslt1_1.1.24-1_amd64.deb
xsltproc_1.1.24-1_amd64.deb
to pool/main/libx/libxslt/xsltproc_1.1.24-1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mike Hommey <[EMAIL PROTECTED]> (supplier of updated libxslt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 25 May 2008 16:24:29 +0200
Source: libxslt
Binary: libxslt1.1 libxslt1-dev libxslt1-dbg xsltproc python-libxslt1
Architecture: source amd64
Version: 1.1.24-1
Distribution: unstable
Urgency: high
Maintainer: Debian XML/SGML Group <[EMAIL PROTECTED]>
Changed-By: Mike Hommey <[EMAIL PROTECTED]>
Description:
libxslt1-dbg - XSLT processing library - debugging symbols
libxslt1-dev - XSLT processing library - development kit
libxslt1.1 - XSLT processing library - runtime library
python-libxslt1 - Python bindings for libxslt1
xsltproc - XSLT command line processor
Closes: 482664
Changes:
libxslt (1.1.24-1) unstable; urgency=high
.
* New upstream release.
* Fix for CVE-2008-1767: buffer overflow in pattern.c. Closes: #482664.
Checksums-Sha1:
1bc022fecc4a9cb4ba8e400899e7aa02f21a4203 1232 libxslt_1.1.24-1.dsc
b5402e24abff5545ed76f6a55049cbebc664bd58 3363961 libxslt_1.1.24.orig.tar.gz
ed0e53c5d422da1143057b775fc8255b386f97cc 74960 libxslt_1.1.24-1.diff.gz
771b678874355e68b9ea107e3e331e5b814d45a2 232402 libxslt1.1_1.1.24-1_amd64.deb
a83630de1171837be05d6ed622ec0d36f3a165f4 640250 libxslt1-dev_1.1.24-1_amd64.deb
b1fdc98366ec4ebf781b2ee510d57086c8158250 360768 libxslt1-dbg_1.1.24-1_amd64.deb
fbe797de7c52cd6627ea9171b4d98c536092e8ef 111452 xsltproc_1.1.24-1_amd64.deb
0059976bc2e8c7ccbe5de91dc557374153727964 164390
python-libxslt1_1.1.24-1_amd64.deb
Checksums-Sha256:
4b9e62f047e7d001524725f1d056eb77511626f8acf4a34ccecc57903103ac1a 1232
libxslt_1.1.24-1.dsc
c0c10944841e9a79f29d409c6f8da0d1b1af0403eb3819c82c788dfa6a180b3e 3363961
libxslt_1.1.24.orig.tar.gz
db7bcdaafa7e73f559d2f66bab644a55a33164f5301608229548bb1ab264b6dd 74960
libxslt_1.1.24-1.diff.gz
d27deb589c6aca021a10b28e4236d2546d96f702cb590f0fc4bc92700975d672 232402
libxslt1.1_1.1.24-1_amd64.deb
86840593949bd41fa63eaee202e42e5fb2ef55b609455e04e71f8544483ddd0e 640250
libxslt1-dev_1.1.24-1_amd64.deb
426c58d3535a2e83a3283395eeb56b0997984ba029b7fbf33789c27cd09dfd1b 360768
libxslt1-dbg_1.1.24-1_amd64.deb
05d4acd906de605b7d88e2bf5a87df74cdb31b227964c2834f8742d1882b2be4 111452
xsltproc_1.1.24-1_amd64.deb
a7a5e900bbd3ce0cfa5cf3fb9cb1b48534c455c55380673c5129819be454fb60 164390
python-libxslt1_1.1.24-1_amd64.deb
Files:
15e44361356cdc0dd2fa95978e574683 1232 text optional libxslt_1.1.24-1.dsc
e83ec5d27fc4c10c6f612879bea9a153 3363961 text optional
libxslt_1.1.24.orig.tar.gz
c657ba3c68f06d278bdf3ba5fb635af7 74960 text optional libxslt_1.1.24-1.diff.gz
452aa1b955057b48a7350e1de45c719b 232402 libs optional
libxslt1.1_1.1.24-1_amd64.deb
6d58969475a2af5873f54a50c2ee970b 640250 libdevel optional
libxslt1-dev_1.1.24-1_amd64.deb
23cd697fecae779ad0332587f2751b60 360768 libdevel extra
libxslt1-dbg_1.1.24-1_amd64.deb
a82f2573904c8c0ff3902bb5431d9165 111452 text optional
xsltproc_1.1.24-1_amd64.deb
530baa10725efb7ce16bb1507667f21f 164390 python optional
python-libxslt1_1.1.24-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIOXxD3kvaLFT9KlgRAsBZAJ9fHLXoNpE1gyI5nK8ZFtOOFr8e0wCdGmxV
OJ0CCJuC2e/qH93+dc/KSS0=
=dknn
-----END PGP SIGNATURE-----
--- End Message ---
