Debian Bug report logs -
#679283
CVE-2012-2825
Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>
Date: Wed, 27 Jun 2012 15:21:09 UTC
Severity: grave
Tags: security
Fixed in versions libxslt/1.1.26-13, libxslt/1.1.26-6+squeeze1
Done: Aron Xu <aron@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#679283; Package libxslt.
(Wed, 27 Jun 2012 15:21:13 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>.
(Wed, 27 Jun 2012 15:21:13 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libxslt
Severity: grave
Tags: security
The Chrome developers found a denial of service issue in the embedded copy of
libxslt, which has been assigned CVE-2012-2825:
http://googlechromereleases.blogspot.de/2012/06/stable-channel-update_26.html:
[$500] [127417] Medium CVE-2012-2825: Wild read in XSL handling. Credit to Nicholas Gregoire.
This is fixed by the following commit:
http://git.chromium.org/gitweb/?p=chromium/src.git;a=patch;h=bb7bfb81c158268fb242292b7e0fbd2d3b933d09
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#679283; Package libxslt.
(Thu, 28 Jun 2012 06:45:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Aron Xu <happyaron.xu@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>.
(Thu, 28 Jun 2012 06:45:10 GMT) (full text, mbox, link).
Message #10 received at 679283@bugs.debian.org (full text, mbox, reply):
Will make an upload to fix the bug soon, and maybe we need to prepare
a fix for stable?
--
Regards,
Aron Xu
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#679283; Package libxslt.
(Thu, 28 Jun 2012 07:06:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <muehlenhoff@univention.de>:
Extra info received and forwarded to list. Copy sent to Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>.
(Thu, 28 Jun 2012 07:06:02 GMT) (full text, mbox, link).
Message #15 received at 679283@bugs.debian.org (full text, mbox, reply):
On Donnerstag, 28. Juni 2012 08:42:54 Aron Xu wrote:
> Will make an upload to fix the bug soon, and maybe we need to prepare
> a fix for stable?
The impact of this issue is rather low, can you fix this though a stable point
update?
http://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable
We should fix CVE-2012-2807 though a DSA, though.
Cheers,
Moritz
--
Moritz Mühlenhoff muehlenhoff@univention.de
Open Source Software Engineer
Univention GmbH be open. fon: +49 421 22 232- 0
Mary-Somerville-Str.1 28359 Bremen fax: +49 421 22 232-99
http://www.univention.de
Reply sent
to Aron Xu <aron@debian.org>:
You have taken responsibility.
(Thu, 05 Jul 2012 09:51:36 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer.
(Thu, 05 Jul 2012 09:51:49 GMT) (full text, mbox, link).
Message #20 received at 679283-close@bugs.debian.org (full text, mbox, reply):
Source: libxslt
Source-Version: 1.1.26-13
We believe that the bug you reported is fixed in the latest version of
libxslt, which is due to be installed in the Debian FTP archive:
libxslt1-dbg_1.1.26-13_amd64.deb
to main/libx/libxslt/libxslt1-dbg_1.1.26-13_amd64.deb
libxslt1-dev_1.1.26-13_amd64.deb
to main/libx/libxslt/libxslt1-dev_1.1.26-13_amd64.deb
libxslt1.1_1.1.26-13_amd64.deb
to main/libx/libxslt/libxslt1.1_1.1.26-13_amd64.deb
libxslt_1.1.26-13.debian.tar.gz
to main/libx/libxslt/libxslt_1.1.26-13.debian.tar.gz
libxslt_1.1.26-13.dsc
to main/libx/libxslt/libxslt_1.1.26-13.dsc
python-libxslt1-dbg_1.1.26-13_amd64.deb
to main/libx/libxslt/python-libxslt1-dbg_1.1.26-13_amd64.deb
python-libxslt1_1.1.26-13_amd64.deb
to main/libx/libxslt/python-libxslt1_1.1.26-13_amd64.deb
xsltproc_1.1.26-13_amd64.deb
to main/libx/libxslt/xsltproc_1.1.26-13_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 679283@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aron Xu <aron@debian.org> (supplier of updated libxslt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 05 Jul 2012 11:09:19 +0800
Source: libxslt
Binary: libxslt1.1 libxslt1-dev libxslt1-dbg xsltproc python-libxslt1 python-libxslt1-dbg
Architecture: source amd64
Version: 1.1.26-13
Distribution: unstable
Urgency: low
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Aron Xu <aron@debian.org>
Description:
libxslt1-dbg - XSLT 1.0 processing library - debugging symbols
libxslt1-dev - XSLT 1.0 processing library - development kit
libxslt1.1 - XSLT 1.0 processing library - runtime library
python-libxslt1 - Python bindings for libxslt1
python-libxslt1-dbg - Python bindings for libxslt1 (debug extension)
xsltproc - XSLT 1.0 command line processor
Closes: 679283
Changes:
libxslt (1.1.26-13) unstable; urgency=low
.
* Patch to fix CVE-2012-2825 (Closes: #679283).
Checksums-Sha1:
4f8b009f451f5c3d0590c1d4ad49c6d3452b63a4 1970 libxslt_1.1.26-13.dsc
9bb1fbcaf3f9d55c304f964f3e8158c1c66dd459 30490 libxslt_1.1.26-13.debian.tar.gz
09a617d1273432f096ba91824a309f50edfd7ea3 251796 libxslt1.1_1.1.26-13_amd64.deb
da9938042ac3e12e10237308a4031b19d8df7734 649602 libxslt1-dev_1.1.26-13_amd64.deb
ac17da9f2e293f2c10453f6fd91f22a5b04b5afc 501882 libxslt1-dbg_1.1.26-13_amd64.deb
d98d4882b9a4ca07b32e5c51b7b314d427955b8a 115842 xsltproc_1.1.26-13_amd64.deb
90d99b38d61d243b1994c496e4fbd893561f0861 170512 python-libxslt1_1.1.26-13_amd64.deb
589b2e390270e37f0a3ceec1bd826dc8e79fc1fd 409606 python-libxslt1-dbg_1.1.26-13_amd64.deb
Checksums-Sha256:
367b7ab79158e09103cc6bc2f01de5206481be5e64f0f4dd605c2de76f5243e5 1970 libxslt_1.1.26-13.dsc
11272bd2ab7273cb17e073f5916e8fc1084a0ddb8b84a68bdb3f5f0bca0f7cc4 30490 libxslt_1.1.26-13.debian.tar.gz
137d94f0e914a69de909da759bff1a39c8941cbceb4c5e3fc96b024393f7be1b 251796 libxslt1.1_1.1.26-13_amd64.deb
897b1b88f2773ed5e127ab6bec0dd206be0bde07f573afb0edadb9a832f24fee 649602 libxslt1-dev_1.1.26-13_amd64.deb
b3c97d05fcee537b49d786348f5e683e51b8456f87f55f7181dbe765fefb6b69 501882 libxslt1-dbg_1.1.26-13_amd64.deb
94056f97f3d8abc154969d309c9529c7dd43c6dc5d37ce81558f91be59c7877b 115842 xsltproc_1.1.26-13_amd64.deb
ef0d07bf0f1f97f0b7d578a52dcb0adab4a5753d406acecadd465dc1422935c3 170512 python-libxslt1_1.1.26-13_amd64.deb
f05f4b595fc35fa9d24484e92e9fb5e009bea0651b36601055eafd913ed02c53 409606 python-libxslt1-dbg_1.1.26-13_amd64.deb
Files:
fd64a5218a7aaba272e41cc85ae8a140 1970 text optional libxslt_1.1.26-13.dsc
51955cfd62dc63465c57363370fee606 30490 text optional libxslt_1.1.26-13.debian.tar.gz
a8b85613a162480597e8cba6cc54ce99 251796 libs optional libxslt1.1_1.1.26-13_amd64.deb
d29e8cf76a7fc9ecf637d17855ee6a40 649602 libdevel optional libxslt1-dev_1.1.26-13_amd64.deb
a5897a9a9a218a59085bc4b5c2353fc7 501882 debug extra libxslt1-dbg_1.1.26-13_amd64.deb
7143901755701e5d7ab5464419f9349e 115842 text optional xsltproc_1.1.26-13_amd64.deb
c8b38b830a976c803fedf31373d8806e 170512 python optional python-libxslt1_1.1.26-13_amd64.deb
a58edb0b8e4f01517593d267ab3c37da 409606 debug extra python-libxslt1-dbg_1.1.26-13_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQEcBAEBAgAGBQJP9WFfAAoJEIAhAkTu07wNJSgIANJJfPkbGysLYckTqQwekxRw
z/nuDjfiQs3PWDxR9PxrgQZD7kHKNEC6StrmAfX5ybf8/Mvw2aTtu0+nEyvrUDWe
3iKWDO2B7An9SlGYx4WkrOYZrVG5VHHeVXUtpghuypiYyrDZHYvf9V66CHx/s0Uy
dleEOw6aeG0vlHFbdFPHtk2dR6U+9rlwyfeF4fGzVDclJL2Zc6f33qnIZdqfQlQ7
pq5OnKx8+ihdALGKh4o64oVpvPZy15n37UcYMqALs0bX1XORtI16yPvePsva6XeH
Q4eGjsvR+jCLamQNCUjkBSBjwBfAviQxyo1Cffu+E06mZLv6o1aow7siOUQ1LZE=
=3ezc
-----END PGP SIGNATURE-----
Reply sent
to Aron Xu <aron@debian.org>:
You have taken responsibility.
(Thu, 12 Jul 2012 22:51:32 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer.
(Thu, 12 Jul 2012 22:52:31 GMT) (full text, mbox, link).
Message #25 received at 679283-close@bugs.debian.org (full text, mbox, reply):
Source: libxslt
Source-Version: 1.1.26-6+squeeze1
We believe that the bug you reported is fixed in the latest version of
libxslt, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 679283@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aron Xu <aron@debian.org> (supplier of updated libxslt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 05 Jul 2012 11:31:18 +0800
Source: libxslt
Binary: libxslt1.1 libxslt1-dev libxslt1-dbg xsltproc python-libxslt1 python-libxslt1-dbg
Architecture: source amd64
Version: 1.1.26-6+squeeze1
Distribution: stable
Urgency: low
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Aron Xu <aron@debian.org>
Description:
libxslt1-dbg - XSLT 1.0 processing library - debugging symbols
libxslt1-dev - XSLT 1.0 processing library - development kit
libxslt1.1 - XSLT 1.0 processing library - runtime library
python-libxslt1 - Python bindings for libxslt1
python-libxslt1-dbg - Python bindings for libxslt1 (debug extension)
xsltproc - XSLT 1.0 command line processor
Closes: 617413 660650 679283
Changes:
libxslt (1.1.26-6+squeeze1) stable; urgency=low
.
[ Daniel Veillard ]
* Fix generate-id() to not expose object addresses
CVE-2011-1202, Closes: #617413.
.
[ Abhishek Arya ]
* Fix some case of pattern parsing errors
CVE-2011-3970, Closes: #660650.
.
[ Chris Evans ]
* [PATCH] Fix crash with unexpected DTD nodes in XSLT.
CVE-2012-2825, Closes: #679283.
Checksums-Sha1:
8fc2d6dca4e40ab8ea3fee90a43d91db0281d1dd 1770 libxslt_1.1.26-6+squeeze1.dsc
badbf74a68958bbe35ae5c3ef80027645e40290c 92211 libxslt_1.1.26-6+squeeze1.diff.gz
011dab9e25dd8a4828a60e8eb43cb0c80864957a 247382 libxslt1.1_1.1.26-6+squeeze1_amd64.deb
6192f6b70263afe20f04cc3a771cc806758de76f 634310 libxslt1-dev_1.1.26-6+squeeze1_amd64.deb
37e667b74c89c1cbe0659312420faabcdeff5413 368756 libxslt1-dbg_1.1.26-6+squeeze1_amd64.deb
8b3b92b922515301f95ac852a5c976f3d9ca919d 114878 xsltproc_1.1.26-6+squeeze1_amd64.deb
2534205ee8bf5f122745fccbdc83cced891a3291 167766 python-libxslt1_1.1.26-6+squeeze1_amd64.deb
96de54ec71c94fcdc3cfc938aa713413db73b87c 371938 python-libxslt1-dbg_1.1.26-6+squeeze1_amd64.deb
Checksums-Sha256:
3e79189fcefbbf626d8629e864cdbf261f764cf32f9052026ff47ed636a7d1b3 1770 libxslt_1.1.26-6+squeeze1.dsc
3accd931ca30e8342fece1b6c706ba537defd2eae005f826488a7bdaea105648 92211 libxslt_1.1.26-6+squeeze1.diff.gz
8a780642d750eabf61d01e7d515f4c81757cbf373b97834cd783fb21d0dfbef8 247382 libxslt1.1_1.1.26-6+squeeze1_amd64.deb
af285b4cc24575ee5bcd906526a9d297a3e01a7541023d94d90893fae2f750fc 634310 libxslt1-dev_1.1.26-6+squeeze1_amd64.deb
836d752700e16008b5a66258f763e19980341caf0a1b2e3a7ec672d6cc704419 368756 libxslt1-dbg_1.1.26-6+squeeze1_amd64.deb
ce3a5da5bb7c8891d5e1a98d5a56a91b057edbdb995ffb8c8ad7991e4d32daaa 114878 xsltproc_1.1.26-6+squeeze1_amd64.deb
d8ca7151cd6760f1e538ccaad0e7259fb9883e4dc6c236637e991a9dd753888d 167766 python-libxslt1_1.1.26-6+squeeze1_amd64.deb
371b359da5b3ff052c6e533f7c4544e92682928d5080b1fd1b38e50379b8f276 371938 python-libxslt1-dbg_1.1.26-6+squeeze1_amd64.deb
Files:
028b01d96cc0718823102cd928f97409 1770 text optional libxslt_1.1.26-6+squeeze1.dsc
5bac5ada3b045dea2c47750f35c77d5e 92211 text optional libxslt_1.1.26-6+squeeze1.diff.gz
334845cea28e39d2968fe841bbef6c28 247382 libs optional libxslt1.1_1.1.26-6+squeeze1_amd64.deb
8b45ef28e19a346f1f97129797822ec7 634310 libdevel optional libxslt1-dev_1.1.26-6+squeeze1_amd64.deb
1b090ec5058e34c51f5810b85a2bc856 368756 debug extra libxslt1-dbg_1.1.26-6+squeeze1_amd64.deb
18fdcdbe143ccb9a1f79443324858859 114878 text optional xsltproc_1.1.26-6+squeeze1_amd64.deb
76e13bc9cd015c536c9778756e25e30e 167766 python optional python-libxslt1_1.1.26-6+squeeze1_amd64.deb
46755b21c6733d8f622520312fc5a470 371938 debug extra python-libxslt1-dbg_1.1.26-6+squeeze1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQEcBAEBAgAGBQJP98QdAAoJEIAhAkTu07wNJ+YH/0Hy74cFmf1K8Nzt6sv0b/Gx
3MyVikCO1j8nP6WPvHd62Su8wRE+4KhbzS8UflXSjVuA/7Nm8pE1/BtdX2o0TQHz
L6UVh/mDNMDg32R67ZhbKEwh/mp+28lndK+X24+1lI2MexUQC7Hk8BWchL2jW/kK
WaYoa2aGmhhU0FdfcfZHaR75DxcaH/V7YZnIvkcJkuDUUmECM71PVkB2/kEdcRzW
m0NjVAHaPrg/HT82mQNJBcHFvpmNVt6tbQs8tkvV5YdOhRC2tRi/2tIgU/Ax4TtR
NGIYGB1bn7x+GWNyfBjAOSvew7MGyAwSm4+lys54UHrsTZuFg6Ondaku6n8qUPE=
=31ET
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 30 Sep 2012 07:31:49 GMT) (full text, mbox, link).
Bug unarchived.
Request was from jmw@debian.org
to control@bugs.debian.org.
(Thu, 17 Jan 2013 13:06:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#679283; Package libxslt.
(Fri, 18 Jan 2013 12:36:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>.
(Fri, 18 Jan 2013 12:36:05 GMT) (full text, mbox, link).
Message #34 received at 679283@bugs.debian.org (full text, mbox, reply):
Package: libxslt
Dear maintainer,
Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:
squeeze (6.0.7) - use target "stable"
Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.
I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.
For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].
0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/679283/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc
Thanks,
with his security hat on:
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 16 Feb 2013 07:28:15 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:57:30 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon