FS#47681 : [libxslt] CVE-2015-7995: denial of service

FS#47681 - [libxslt] CVE-2015-7995: denial of service

Attached to Project: Arch Linux
Opened by Remi Gacogne (rgacogne) - Saturday, 09 January 2016, 14:54 GMT
Last edited by Jan de Groot (JGC) - Wednesday, 13 January 2016, 11:53 GMT

Task Type	Bug Report
Category	Security
Status	Closed
Assigned To	Jan de Groot (JGC)
Architecture	All
Severity	Low
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

Hi,

We have an unpatched vulnerability in our current libxslt package, CVE-2015-7995 [1], which can result in a crash when parsing a specially crafted XML document [2]. A very small patch fixing the issue has been committed upstream [3] but there has not been a new release yet. I believe we should backport this patch, as there is no way to know if a new version is going to be released anytime soon.

[1] https://access.redhat.com/security/cve/CVE-2015-7995
[2]: https://bugzilla.redhat.com/show_bug.cgi?id=1257962
[3]: https://git.gnome.org/browse/libxslt/commit/?h=CVE-2015-7995&id=7ca19df892ca22d9314e95d59ce2abdeff46b617

This task depends upon

Closed by Jan de Groot (JGC)
Wednesday, 13 January 2016, 11:53 GMT
Reason for closing: Fixed

Comment by Colin Heinzmann (DepthDeluxe) - Saturday, 09 January 2016, 18:06 GMT

Added the patchfile to the PKGBUILD.

libxslt-1.1.28-4-src.tar.gz (1.3 KiB)

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#47681 - [libxslt] CVE-2015-7995: denial of service

Details

Loading...