Debian Bug report logs -
#842570
libxslt: CVE-2016-4738: possible heap overread
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 30 Oct 2016 13:12:02 UTC
Severity: grave
Tags: patch, security, upstream
Found in version libxslt/1.1.28-2
Fixed in versions libxslt/1.1.29-2, libxslt/1.1.28-2+deb8u2
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#842570; Package src:libxslt.
(Sun, 30 Oct 2016 13:12:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>.
(Sun, 30 Oct 2016 13:12:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libxslt
Version: 1.1.28-2
Severity: grave
Tags: security upstream patch
Hi,
the following vulnerability was published for libxslt.
CVE-2016-4738[0]:
| libxslt in Apple iOS before 10, OS X before 10.12, tvOS before 10, and
| watchOS before 3 allows remote attackers to execute arbitrary code or
| cause a denial of service (memory corruption) via a crafted web site.
Unfortunately as for many libxml2 issues, the above is not very
specific and there is upstream bug referenced. But the fix is
mentioned as [1].
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-4738
[1] https://git.gnome.org/browse/libxslt/commit/?id=eb1030de31165b68487f288308f9d1810fed6880
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Mattia Rizzolo <mattia@debian.org>:
You have taken responsibility.
(Sun, 30 Oct 2016 15:51:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 30 Oct 2016 15:51:09 GMT) (full text, mbox, link).
Message #10 received at 842570-close@bugs.debian.org (full text, mbox, reply):
Source: libxslt
Source-Version: 1.1.29-2
We believe that the bug you reported is fixed in the latest version of
libxslt, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 842570@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mattia Rizzolo <mattia@debian.org> (supplier of updated libxslt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 30 Oct 2016 14:01:00 +0000
Source: libxslt
Binary: libxslt1.1 libxslt1-dev libxslt1-dbg xsltproc python-libxslt1 python-libxslt1-dbg
Architecture: source
Version: 1.1.29-2
Distribution: unstable
Urgency: high
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Mattia Rizzolo <mattia@debian.org>
Description:
libxslt1-dbg - XSLT 1.0 processing library - debugging symbols
libxslt1-dev - XSLT 1.0 processing library - development kit
libxslt1.1 - XSLT 1.0 processing library - runtime library
python-libxslt1 - Python bindings for libxslt1
python-libxslt1-dbg - Python bindings for libxslt1 (debug extension)
xsltproc - XSLT 1.0 command line processor
Closes: 842570
Changes:
libxslt (1.1.29-2) unstable; urgency=high
.
* Team upload.
* Bump debhelper compat level to 10.
+ --parallel is now default
+ --with autoreconf is now default
* Add patch from upstream to fix a heap overread which could cause remote
arbitrary code execution or denial of service.
Closes: #842570 — CVE-2016-4738
Checksums-Sha1:
5d433d7ee06ef9805b0b588be91296c3cbcc43b2 2368 libxslt_1.1.29-2.dsc
0c9a27255fbff85efa011b577810e59889978c3b 27884 libxslt_1.1.29-2.debian.tar.xz
Checksums-Sha256:
dcedd2cbe791c0053253181fc71cfae5a7e9babe081c80eb65e05b64efe5287e 2368 libxslt_1.1.29-2.dsc
c206efbcc3bd857316e9f01059b1095e42552b3321b398168ff4bfcc0b01910c 27884 libxslt_1.1.29-2.debian.tar.xz
Files:
ae68aff650760e797559f99686a69b76 2368 text optional libxslt_1.1.29-2.dsc
94cf8bdb259f8248564061786b31be6e 27884 text optional libxslt_1.1.29-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIvBAEBCgAZBQJYFgCUEhxtYXR0aWFAZGViaWFuLm9yZwAKCRAIFrnhjHYrraUl
D/sHhUDwRpr1PvD20yYcOSOk7Xjf6lj1rkqG+OPfna6sijPv3xFXvSyHQlrWyF7Q
kcevAN/2K4MM6UhNDkWClXanrAon1qCSaEQTXY8oCkZNUFO/pE5oXiWqbhO57J1Q
2NCCcDVxllFWcAHphy41wQlYFXKLziYm2kZNJaqF7THo0lfXEsHW3XIGb5MYCf7t
w0sDrT9obrNgzf9j2v+1qhrRCh6kwGm29mteXZvd84cOmWgpcM/6sLAbjyOlglTu
Qj540vx8xcakp3IcQbIx8xGMsTc7zoB6dEEOvQl4yOfcjKIxD0EVKIr23EYZCRab
5fijbVJkYQ7ZNa4BoAtPYbRzN74ca4o/LdmnWuHujZM0ibRua/GLMlhk8LV3Sivk
AMHCckmij0sjShpYhpIR5q+DUa0Se5zm6w4SNZp6CWMu4mqpErVRNq8fogF5l1JF
Sp/HhuHxANJaZrag8OCMF4wEaIYDxtDLFrPqGFncRwBrvFCAqH7ylYQ5aMks7udg
FeEsdEAIOWWOaz0U+I5rz/oPPkK32/PK5rMvjP+87hTNW9pEgZmAxz6YhVS5NIVo
r881kM6oPjzwDTOtvVl+B1yX7ep4EEnUkzO3wN60tDmEm5V++Bod4+ilg72bDSiM
/PEf4nPnOEsH9eIvYIpHVukf0PllbWkw0blpFVldBBYLtw==
=O0So
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sun, 13 Nov 2016 11:21:24 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 13 Nov 2016 11:21:24 GMT) (full text, mbox, link).
Message #15 received at 842570-close@bugs.debian.org (full text, mbox, reply):
Source: libxslt
Source-Version: 1.1.28-2+deb8u2
We believe that the bug you reported is fixed in the latest version of
libxslt, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 842570@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libxslt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 06 Nov 2016 21:43:39 +0100
Source: libxslt
Binary: libxslt1.1 libxslt1-dev libxslt1-dbg xsltproc python-libxslt1 python-libxslt1-dbg
Architecture: source
Version: 1.1.28-2+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 842570
Description:
libxslt1-dbg - XSLT 1.0 processing library - debugging symbols
libxslt1-dev - XSLT 1.0 processing library - development kit
libxslt1.1 - XSLT 1.0 processing library - runtime library
python-libxslt1 - Python bindings for libxslt1
python-libxslt1-dbg - Python bindings for libxslt1 (debug extension)
xsltproc - XSLT 1.0 command line processor
Changes:
libxslt (1.1.28-2+deb8u2) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix heap overread in xsltFormatNumberConversion (CVE-2016-4738)
(Closes: #842570)
Checksums-Sha1:
6a250431bb43b792352b0d17dcce4e62aee3fc2c 2529 libxslt_1.1.28-2+deb8u2.dsc
aa8895a781dc554bfe6416843ef25b4cffa054df 37564 libxslt_1.1.28-2+deb8u2.debian.tar.xz
Checksums-Sha256:
e5a1286006f7c9d136f1a2441e4993deb35551ed359d4cb7492d3128835f6f64 2529 libxslt_1.1.28-2+deb8u2.dsc
218aa08affb2a5c8b8935a8b44d09e7727cbf453576b4c3e0886fd86a966cca0 37564 libxslt_1.1.28-2+deb8u2.debian.tar.xz
Files:
11e4607da911d652afd3bd9c8ffe4c1f 2529 text optional libxslt_1.1.28-2+deb8u2.dsc
d875d4c91dd9e2837f92565d6197f97e 37564 text optional libxslt_1.1.28-2+deb8u2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKPBAEBCgB5BQJYIWmsXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ0NjQ0NDA5ODA4QzE3MUUwNTUzMURERUUw
NTRDQjhGMzEzNDNDRjQ0EhxjYXJuaWxAZGViaWFuLm9yZwAKCRAFTLjzE0PPRPQy
D/sFdBerxEHHzUTOdjjmgj4i47aWWvSJn9RP/XLgmzQOJosrEyHhZnS+ceTKS/7/
u3XbNNu0uphlKDrDIc3pTkJYLEIngVCgOBgNjLV7up/hC2o7gPhSfagtGS4gN60n
JeR22EWr4KkGvaP52NoLG//EwECMKCj8EkPSOc1rnjQeQVqmu/7+x6YykqJVoIbf
kQL+w4y39yBLVzkirm1VbnrjLWQdQS0pnYJ6xpnheru5sqj44SJ2nEl8ZvJ2CNxv
xKuYSCI8qJ4M+bW0vV9AKoUAPYOo/mqP8dkHlULQpJpO3cCC4WwCrg6b7pm+l7au
z8lqKfNTHZZcjKGrs4l/oKIUMA3LYFT4cRc8sGSJh45yZsmKDEGBw87nGqAOgCgk
7B11xk4g0WJ1VcXW5SWNwdcCw8vkxcfZ6FPQIKTzwsZ2YXCXO8bEqS8/yBEWrgSY
g4zvno+HEhnfsUepPgzy12dWIPpBM5LnUK+OdlYZEwMKzuLDbWsyF6qj6wH8zXFU
cXXwcfAjO7rwS5XKeRpRaBQ4V7nVZD9+H4y8rMEvW4BNBiNcovVr1WemK5OwLln0
ZHI1WuaFdoH5EaEWeoSWVyTykYnhLwIEk+e3vkL/Vq5EQHr/c1PS7QSyquQz0ePb
ySWzLMfl7guDTmrcxGc3AkuzAuIqb1qMdT1ZnYruMUTh+g==
=/WVz
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 29 Dec 2016 09:13:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:11:19 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon