libxslt was updated to version 1.1.29 with several bug and security fixes. http://xmlsoft.org/sources/libxslt-1.1.29.tar.gz
Thanks for the request. Well, according to the NEWS file, we have a security fix in 1.1.29 as well. CC ports-secteam. @ports-secteam: * https://git.gnome.org/browse/libxslt/tree/NEWS (1.1.29: May 24 2016) CVE-2015-7995 Fix for type confusion in preprocessing attributes (Daniel Veillard) I'll try prepare the patch...
Ah, wait. This was testing in poudriere while I was posting and I didn't wait the results... looks like the CVE has already been patched in the port. Sorry for false alert, secteam.
Created attachment 171457 [details] Update libxslt to 1.1.29 Here's the patch to update to 1.1.29: * Update version, drop PORTREVISION, adjust pkg-plist, distinfo * Remove previous FreeBSD patch for CVE-2015-7995 (checked and confirmed the patched code is indeed in libxslt/preproc.c) * Remove previous FreeBSD patch-xsltproc_xsltproc.c for "--maxvars" arg check, it's in the code Tested: - portlint complains for previous problems + poudriere, 10.3-p5 amd64 jail, built fine - did not do run-test, this is point release but with quite a lot of fixes
BTW, quick check that the CVE patch is indeed upstream, this is the commit: https://git.gnome.org/browse/libxslt/commit/libxslt/preproc.c?id=7ca19df892ca22d9314e95d59ce2abdeff46b617
Two new CVEs are apparently fixed in 1.1.29: * CVE-2016-1683 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1683 numbers.c in libxslt before 1.1.29, as used in Google Chrome before 51.0.2704.63, mishandles namespace nodes, which allows remote attackers to cause a denial of service (out-of-bounds heap memory access) or possibly have unspecified other impact via a crafted document. * CVE-2016-1684 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1684 https://git.gnome.org/browse/libxslt/commit/libxslt/numbers.c?id=91d0540ac9beaa86719a05b749219a69baa0dd8d numbers.c in libxslt before 1.1.29, as used in Google Chrome before 51.0.2704.63, mishandles the i format token for xsl:number data, which allows remote attackers to cause a denial of service (integer overflow or resource consumption) or possibly have unspecified other impact via a crafted document.
CC Jason.
can anyone from gnome@ comment on this? I'm likely going to commit the update and push to quarterly...
After further review, I cannot be sure there are any vulnerabilities addressed by 1.1.29. The CVEs referenced are only for Google Chrome and the changelog for libxslt only notes CVE-2015-7995 which we already fixed with a patch to the port. This is a confusing situation because I don't know if it would be possible for another consumer of libxslt to hit the same vulnerabilities that Chrome did.
Debian appears to have patched their libxslt against these vulns that are supposedly due to Chrome's usage of the library: https://www.debian.org/security/2016/dsa-3605 It would be wise to do the same then. We don't ship Chromium with an embedded libxslt as far as I can tell, so Chrome users are still vulnerable without this library being patched.
A commit references this bug: Author: feld Date: Mon Jun 20 19:08:32 UTC 2016 New revision: 417173 URL: https://svnweb.freebsd.org/changeset/ports/417173 Log: Update vuxml for libxslt vulnerabilities These vulnerabilities were previously reported by Google as they bundle libxslt with Chrome. When we patched Chromium to address these vulnerabilites it was overlooked that we do not bundle libxslt library with Chromium, but instead use textproc/libxslt. Chromium users have continued to be vulnerable to these CVEs as a result. This update fixes the Chromium CVE entry and adds a separate one for libxslt. PR: 210298 Security: CVE-2016-1683 Security: CVE-2016-1684 Changes: head/security/vuxml/vuln.xml
A commit references this bug: Author: feld Date: Mon Jun 20 19:13:44 UTC 2016 New revision: 417174 URL: https://svnweb.freebsd.org/changeset/ports/417174 Log: textproc/libxslt: Update to 1.1.29 Changelog: https://git.gnome.org/browse/libxslt/commit/NEWS?id=9a1b3ddf6034aa2f6a30b4b7ea4bfc3c4037cd58 Absent from the Changelog are the CVEs Google discovered, CVE-2016-1683 and CVE-2016-1684. This library needs to be updated to ensure www/chromium is no longer vulnerable to these CVEs. Additionally the changelog notes a fix for CVE-2015-7995, but we solved that previously with a patch to the port. PR: 210298 MFH: 2016Q2 Security: CVE-2016-1683 Security: CVE-2016-1684 Changes: head/textproc/libxslt/Makefile head/textproc/libxslt/distinfo head/textproc/libxslt/files/patch-CVE-2015-7995 head/textproc/libxslt/files/patch-xsltproc_xsltproc.c head/textproc/libxslt/pkg-plist
A commit references this bug: Author: feld Date: Mon Jun 20 19:14:29 UTC 2016 New revision: 417175 URL: https://svnweb.freebsd.org/changeset/ports/417175 Log: MFH: r417174 textproc/libxslt: Update to 1.1.29 Changelog: https://git.gnome.org/browse/libxslt/commit/NEWS?id=9a1b3ddf6034aa2f6a30b4b7ea4bfc3c4037cd58 Absent from the Changelog are the CVEs Google discovered, CVE-2016-1683 and CVE-2016-1684. This library needs to be updated to ensure www/chromium is no longer vulnerable to these CVEs. Additionally the changelog notes a fix for CVE-2015-7995, but we solved that previously with a patch to the port. PR: 210298 Security: CVE-2016-1683 Security: CVE-2016-1684 Approved by: ports-secteam (with hat) Changes: _U branches/2016Q2/ branches/2016Q2/textproc/libxslt/Makefile branches/2016Q2/textproc/libxslt/distinfo branches/2016Q2/textproc/libxslt/files/patch-CVE-2015-7995 branches/2016Q2/textproc/libxslt/files/patch-xsltproc_xsltproc.c branches/2016Q2/textproc/libxslt/pkg-plist