Nokogiri: evaluate upstream libxslt patches mentioned in USN-3271-1

Created on 28 Apr 2017  路  4Comments  路  Source: sparklemotion/nokogiri

This issue is to drive investigation and potential action around a set of upstream libxslt patches that Canonical judged valuable enough to port to their distributions.

USN-3271-1

"libxslt vulnerabilities"

https://www.ubuntu.com/usn/usn-3271-1/

CVE-2017-5029

http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5029.html

priority: medium

The xsltAddTextString function in transform.c in libxslt 1.1.29, as used in
Blink in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux
and 57.0.2987.108 for Android, lacked a check for integer overflow during a
size calculation, which allowed a remote attacker to perform an out of
bounds memory write via a crafted HTML page.

patches:

CVE-2016-1683

http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1683.html

priority: medium

numbers.c in libxslt before 1.1.29, as used in Google Chrome before
51.0.2704.63, mishandles namespace nodes, which allows remote attackers to
cause a denial of service (out-of-bounds heap memory access) or possibly
have unspecified other impact via a crafted document.

patches:

CVE-2016-1841

http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1841.html

priority: medium

libxslt, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS
before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute
arbitrary code or cause a denial of service (memory corruption) via a
crafted web site.

patches:

CVE-2015-7995

http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-7995.html

priority: low

The xsltStylePreCompute function in preproc.c in libxslt 1.1.28 does not
check if the parent node is an element, which allows attackers to cause a
denial of service via a crafted XML file, related to a "type confusion"
issue.

patches:

CVE-2016-1684

http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1684.html

priority: medium

numbers.c in libxslt before 1.1.29, as used in Google Chrome before
51.0.2704.63, mishandles the i format token for xsl:number data, which
allows remote attackers to cause a denial of service (integer overflow or
resource consumption) or possibly have unspecified other impact via a
crafted document.

patches:

CVE-2016-4738

http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4738.html

priority: medium

libxslt in Apple iOS before 10, OS X before 10.12, tvOS before 10, and
watchOS before 3 allows remote attackers to execute arbitrary code or cause
a denial of service (memory corruption) via a crafted web site.

patches:

topisecurity vendorelibxslt

Most helpful comment

And merged into master. Closing.

All 4 comments

To focus the decision, there are only two patches in this set that were not in libxslt 1.1.29; the patch for CVE-2017-5029 (medium) and for CVE-2016-4738 (medium).

I'd like to port these to Nokogiri and cut v1.7.2 as a security release.

I'll do this in the next few days unless I hear compelling objections here in the next 24 hours.

3c8d673 on the v1.7.x branch is green:

image

shipping it now.

v1.7.2 has been released with these patches.

And merged into master. Closing.

Was this page helpful?
0 / 5 - 0 ratings