[xml/sgml-pkgs] Bug#482664: Bug#482664: CVE-2008-1767: buffver overflow in pattern.c
Mike Hommey
mh at glandium.org
Sat May 24 15:01:52 UTC 2008
On Sat, May 24, 2008 at 08:16:05PM +1000, Steffen Joeris wrote:
> Package: libxslt1.1
> Version: 1.1.23-1
> Severity: grave
> Tags: security, patch
> Justification: user security hole
>
> Hi
>
> The following CVE(0) has been issued against libxslt.
>
> CVE-2008-1767:
>
> Buffer overflow in pattern.c in libxslt before 1.1.24 allows
> context-dependent attackers to cause a denial of service (crash) and
> possibly execute arbitrary code via an XSL style sheet file with a long
> XSLT "transformation match" condition that triggers a large number of
> steps.
>
> Upstream patch is attached.
>
> Please mention the CVE id in your changelog, when you fix this bug.
I haven't had time to take a deep look at the issue. Anyways, uploading
1.1.24 in unstable (which was planned) should fix this. Is an update
for stable required ? Or is the security team already working on it?
Mike
More information about the debian-xml-sgml-pkgs
mailing list