evaluate upstream libxslt patches mentioned in USN-3271-1 #1634
Description
This issue is to drive investigation and potential action around a set of upstream libxslt patches that Canonical judged valuable enough to port to their distributions.
USN-3271-1
"libxslt vulnerabilities"
https://www.ubuntu.com/usn/usn-3271-1/
CVE-2017-5029
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5029.html
priority: medium
The xsltAddTextString function in transform.c in libxslt 1.1.29, as used in
Blink in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux
and 57.0.2987.108 for Android, lacked a check for integer overflow during a
size calculation, which allowed a remote attacker to perform an out of
bounds memory write via a crafted HTML page.
patches:
- (unreleased upstream) https://git.gnome.org/browse/libxslt/commit/?id=08ab2774b870de1c7b5a48693df75e8154addae5
CVE-2016-1683
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1683.html
priority: medium
numbers.c in libxslt before 1.1.29, as used in Google Chrome before
51.0.2704.63, mishandles namespace nodes, which allows remote attackers to
cause a denial of service (out-of-bounds heap memory access) or possibly
have unspecified other impact via a crafted document.
patches:
- (in libxslt 1.1.29) https://git.gnome.org/browse/libxslt/commit/?id=d182d8f6ba3071503d96ce17395c9d55871f0242
CVE-2016-1841
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1841.html
priority: medium
libxslt, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS
before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute
arbitrary code or cause a denial of service (memory corruption) via a
crafted web site.
patches:
- (in libxslt 1.1.29) https://git.gnome.org/browse/libxslt/commit/?id=fc1ff481fd01e9a65a921c542fed68d8c965e8a3
CVE-2015-7995
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-7995.html
priority: low
The xsltStylePreCompute function in preproc.c in libxslt 1.1.28 does not
check if the parent node is an element, which allows attackers to cause a
denial of service via a crafted XML file, related to a "type confusion"
issue.
patches:
- (in libxslt 1.1.29) https://git.gnome.org/browse/libxslt/commit/?id=7ca19df892ca22d9314e95d59ce2abdeff46b617
CVE-2016-1684
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1684.html
priority: medium
numbers.c in libxslt before 1.1.29, as used in Google Chrome before
51.0.2704.63, mishandles the i format token for xsl:number data, which
allows remote attackers to cause a denial of service (integer overflow or
resource consumption) or possibly have unspecified other impact via a
crafted document.
patches:
- (in libxslt 1.1.29) https://git.gnome.org/browse/libxslt/commit/?id=91d0540ac9beaa86719a05b749219a69baa0dd8d
- (in libxslt 1.1.29) https://git.gnome.org/browse/libxslt/commit/?id=405034286fbdd6166229335b7203a41bf53b40fc
CVE-2016-4738
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4738.html
priority: medium
libxslt in Apple iOS before 10, OS X before 10.12, tvOS before 10, and
watchOS before 3 allows remote attackers to execute arbitrary code or cause
a denial of service (memory corruption) via a crafted web site.
patches:
- (unreleased upstream) https://git.gnome.org/browse/libxslt/commit/?id=eb1030de31165b68487f288308f9d1810fed6880