Bugzilla – Bug 952474
VUL-1: CVE-2015-7995 libxslt: Type confusion DoS
Last modified: 2018-10-23 22:53:55 UTC
Created attachment 653621 [details] poc.xml via oss-sec http://seclists.org/oss-sec/2015/q4/181 https://bugzilla.redhat.com/show_bug.cgi?id=1257058 https://bugzilla.redhat.com/show_bug.cgi?id=1257962 https://bugzilla.redhat.com/attachment.cgi?id=1086465 > we found that the first parameter "ctxt->myDoc" is a xmlDocPtr, but it > will be teated as a xmlNodePtr. Obviously, xmlDoc and xmlNode have > different structure. This is why "xmlDocPtr->children->parent->ns" get > a invalid value(0xffffffff), this value comes from > xmlDoc->compression. Reproducer: pox.xml attached. > $ xsltproc poc.xml > Segmentation fault Vulnerable code unchanged since 2006. References: https://bugzilla.redhat.com/show_bug.cgi?id=1257962 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7995 http://seclists.org/oss-sec/2015/q4/181 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7995
Created attachment 653627 [details] RH proposed patch, not committed upstream
The proposed patch from the comment 1 was submitted upstream: https://git.gnome.org/browse/libxslt/commit/?id=7ca19df892ca22d9314e95d59ce2abdeff46b617
The patch was submitted for openSUSE 13.2 and Factory. SLE is tracked. | Codestream | Request# | |---------------------------|-----------| | SUSE:SLE-11:Update | planned | | SUSE:SLE-12:Update | planned | | openSUSE:13.2:Update | #397038 | | openSUSE:Leap:42.1:Update | via SLE12 | | openSUSE:Factory | #397037 |
This is an autogenerated message for OBS integration: This bug (952474) was mentioned in https://build.opensuse.org/request/show/397038 13.2 / libxslt
openSUSE-SU-2016:1439-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 952474 CVE References: CVE-2015-7995 Sources used: openSUSE 13.2 (src): libxslt-1.1.28-7.3.1, libxslt-python-1.1.28-7.3.1
Created attachment 716861 [details] Upstream patch for SLE-10, 11 and 12. All codestreams of libxslt are affected by CVE-2015-7995: openSUSE:Factory 1.1.29 Already fixed openSUSE:Leap:42.2:Update 1.1.28 Comes from SLE-12 openSUSE:Leap:42.1:Update 1.1.28 Comes from SLE-12 SUSE:SLE-12:Update 1.1.28 Patch SUSE:SLE-11:Update 1.1.24 Patch SUSE:SLE-10-SP3:Update 1.1.15 Patch Added patch libxslt-CVE-2015-7995.patch CVE corrected upstream in version 1.1.29 (commit 7ca19df892ca22d9314e95d59ce2abdeff46b617) Reassigning bug to the security-team.
Packages submitted to SLE: SUSE:SLE-12:Update 1.1.28 mr#132281 SUSE:SLE-11:Update 1.1.24 sr#132282 SUSE:SLE-10-SP3:Update 1.1.15 sr#132283
SUSE-SU-2017:1282-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1005591,1035905,934119,952474 CVE References: CVE-2015-7995,CVE-2015-9019,CVE-2016-4738,CVE-2017-5029 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): libxslt-1.1.24-19.33.1, libxslt-python-1.1.24-19.33.3 SUSE Linux Enterprise Server 11-SP4 (src): libxslt-1.1.24-19.33.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): libxslt-1.1.24-19.33.1, libxslt-python-1.1.24-19.33.3
SUSE-SU-2017:1313-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1005591,1035905,934119,952474 CVE References: CVE-2015-7995,CVE-2015-9019,CVE-2016-4738,CVE-2017-5029 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP2 (src): libxslt-1.1.28-16.1 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): libxslt-1.1.28-16.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): libxslt-1.1.28-16.1 SUSE Linux Enterprise Server 12-SP2 (src): libxslt-1.1.28-16.1 SUSE Linux Enterprise Server 12-SP1 (src): libxslt-1.1.28-16.1 SUSE Linux Enterprise Desktop 12-SP2 (src): libxslt-1.1.28-16.1 SUSE Linux Enterprise Desktop 12-SP1 (src): libxslt-1.1.28-16.1
An update workflow for this issue was started. This issue was rated as low. Please submit fixed packages until 2017-06-14. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/63614
openSUSE-SU-2017:1390-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1005591,1035905,934119,952474 CVE References: CVE-2015-7995,CVE-2015-9019,CVE-2016-4738,CVE-2017-5029 Sources used: openSUSE Leap 42.2 (src): libxslt-1.1.28-10.3.1, libxslt-python-1.1.28-10.3.1
released