Bugzilla – Bug 849019
VUL-0: CVE-2013-4520: libxslt: crash with bad DTD stylesheets before libxslt 1.1.25
Last modified: 2013-11-21 07:42:35 UTC
found by SUSE QA during testing of bug 769182 $ xsltproc magic.xsl magic.xml Segmentation fault The fix was done in libxslt 1.1.25 with this commit: https://gitorious.org/libxslt/libxslt/commit/7089a62b8f133b42a2981cf1f920a8b3fe9a8caa commit 7089a62b8f133b42a2981cf1f920a8b3fe9a8caa Author: Martin <gzlist@googlemail.com> Date: Wed Sep 16 19:02:16 2009 +0200 Crash compiling stylesheet with DTD * libxslt/xslt.c: when a stylesheet embbeds a DTD the compilation process could get seriously wrong
Created attachment 566165 [details] magig.xsl magic.xsl
Created attachment 566166 [details] magic.xml magic.xml
affects SLES9,SLES10,SLES11 does not affect openSUSE 12.1 and later (affects evergreen 11.4)
Is this not CVE-2012-2825? Looking at the magic.* files, this looks very suspiciously like CVE-2012-2825. I did notice, looking at MITRE's site, that you released an update for OpenSUSE via openSUSE-SU-2012:0813 but since the link is no longer valid I can't tell if it was for libxslt or Chrome (where this was originally reported against). I did try these files on Red Hat Enterprise Linux 5 and 6 (which have been patched for CVE-2012-2825) and there is no crash. The upstream fix you note is different than that noted for Chrome (http://git.chromium.org/gitweb/?p=chromium/src.git;a=patch;h=bb7bfb81c158268fb242292b7e0fbd2d3b933d09) but those reproducers look identical to me, If you didn't fix CVE-2012-2825 in libxslt, that would explain the vulnerable versions you have,
bug 769182 tracks the CVE-2012-2825 fix which was found and fixed in 2012, which we have for quite some time. This here is a different issue, which was fixed in 2009 (but is exposed also by the DTD files of the testcase for the 2012 cve). We released both libxslt and chromium: http://lists.opensuse.org/opensuse-updates/2012-07/msg00003.html http://support.novell.com/security/cve/CVE-2012-2825.html So I think it should count as different issue.
Yeah, I agree. I just realized that our developer snuck in this patch with the changelog entry: - CVE-2012-2825 requires an extra patch on 1.1.17 So I would agree (replied also on oss-sec). I kinda wish he would have indicated this back then as I had no idea we had a second patch in there to fix this.
bugbot adjusting priority
CVE-2013-4520 was assigned as it became known as security issue only now.
all submitted and checked in
Update released for: libxslt, libxslt-32bit, libxslt-debuginfo, libxslt-devel, libxslt-devel-32bit, libxslt-python, libxslt-python-debuginfo Products: SLE-SERVER 10-SP3-LTSS (i386, s390x, x86_64)
Update released for: libxslt, libxslt-32bit, libxslt-debuginfo, libxslt-devel, libxslt-devel-32bit, libxslt-python, libxslt-python-debuginfo Products: SLE-SERVER 10-SP4-LTSS (i386, s390x, x86_64)
Update released for: libxslt, libxslt-32bit, libxslt-debuginfo, libxslt-debuginfo-32bit, libxslt-debuginfo-x86, libxslt-debugsource, libxslt-devel, libxslt-devel-32bit, libxslt-python, libxslt-python-debuginfo, libxslt-python-debugsource, libxslt-x86 Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP3 (i386, x86_64) SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP3 (i386, x86_64)
Update released for: libxslt, libxslt-32bit, libxslt-debuginfo, libxslt-devel, libxslt-devel-32bit, libxslt-python, libxslt-python-debuginfo Products: SLE-SERVER 10-SP3-TERADATA (x86_64)
Update released for: libxslt, libxslt-32bit, libxslt-debuginfo, libxslt-debuginfo-32bit, libxslt-debuginfo-x86, libxslt-debugsource, libxslt-devel, libxslt-devel-32bit, libxslt-python, libxslt-python-debuginfo, libxslt-python-debugsource, libxslt-x86 Products: SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP2 (i386, x86_64) SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP2 (i386, x86_64)
Update released for: libxslt, libxslt-32bit, libxslt-debuginfo, libxslt-debuginfo-32bit, libxslt-debugsource, libxslt-devel, libxslt-devel-32bit, libxslt-python, libxslt-python-debuginfo, libxslt-python-debugsource Products: SLE-SERVER 11-SP1-TERADATA (x86_64)
released