Bug 210298 - textproc/libxslt: Update to 1.1.29
Summary: textproc/libxslt: Update to 1.1.29
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-gnome (Nobody)
URL:
Keywords: easy, patch, patch-ready, security
Depends on:
Blocks:
 
Reported: 2016-06-15 08:31 UTC by freebsd
Modified: 2016-06-20 19:15 UTC (History)
5 users (show)

See Also:
bugzilla: maintainer-feedback? (gnome)


Attachments
Update libxslt to 1.1.29 (3.68 KB, patch)
2016-06-15 10:28 UTC, VK
vlad-fbsd: maintainer-approval? (gnome)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description freebsd 2016-06-15 08:31:34 UTC
libxslt was updated to version 1.1.29 with several bug and security fixes.

http://xmlsoft.org/sources/libxslt-1.1.29.tar.gz
Comment 1 VK freebsd_triage 2016-06-15 09:47:27 UTC
Thanks for the request. Well, according to the NEWS file, we have a security fix in 1.1.29 as well. CC ports-secteam.

@ports-secteam: 

* https://git.gnome.org/browse/libxslt/tree/NEWS (1.1.29: May 24 2016)

  CVE-2015-7995 Fix for type confusion in preprocessing attributes (Daniel Veillard)

I'll try prepare the patch...
Comment 2 VK freebsd_triage 2016-06-15 09:50:55 UTC
Ah, wait. This was testing in poudriere while I was posting and I didn't wait the results... looks like the CVE has already been patched in the port. Sorry for false alert, secteam.
Comment 3 VK freebsd_triage 2016-06-15 10:28:21 UTC
Created attachment 171457 [details]
Update libxslt to 1.1.29

Here's the patch to update to 1.1.29:

* Update version, drop PORTREVISION, adjust pkg-plist, distinfo
* Remove previous FreeBSD patch for CVE-2015-7995
  (checked and confirmed the patched code is indeed in libxslt/preproc.c)
* Remove previous FreeBSD patch-xsltproc_xsltproc.c
  for "--maxvars" arg check, it's in the code

Tested:

- portlint complains for previous problems
+ poudriere, 10.3-p5 amd64 jail, built fine
- did not do run-test, this is point release but with quite a lot of fixes
Comment 4 VK freebsd_triage 2016-06-15 15:12:25 UTC
BTW, quick check that the CVE patch is indeed upstream, this is the commit:

https://git.gnome.org/browse/libxslt/commit/libxslt/preproc.c?id=7ca19df892ca22d9314e95d59ce2abdeff46b617
Comment 5 VK freebsd_triage 2016-06-19 10:37:09 UTC
Two new CVEs are apparently fixed in 1.1.29:

* CVE-2016-1683
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1683

  numbers.c in libxslt before 1.1.29, as used in Google Chrome before 51.0.2704.63, mishandles namespace nodes, which allows remote attackers to cause a denial of service (out-of-bounds heap memory access) or possibly have unspecified other impact via a crafted document.

* CVE-2016-1684
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1684
  https://git.gnome.org/browse/libxslt/commit/libxslt/numbers.c?id=91d0540ac9beaa86719a05b749219a69baa0dd8d 

  numbers.c in libxslt before 1.1.29, as used in Google Chrome before 51.0.2704.63, mishandles the i format token for xsl:number data, which allows remote attackers to cause a denial of service (integer overflow or resource consumption) or possibly have unspecified other impact via a crafted document.
Comment 6 VK freebsd_triage 2016-06-19 10:37:43 UTC
CC Jason.
Comment 7 Mark Felder freebsd_committer 2016-06-20 17:58:05 UTC
can anyone from gnome@ comment on this? I'm likely going to commit the update and push to quarterly...
Comment 8 Mark Felder freebsd_committer 2016-06-20 18:42:25 UTC
After further review, I cannot be sure there are any vulnerabilities addressed by 1.1.29. The CVEs referenced are only for Google Chrome and the changelog for libxslt only notes CVE-2015-7995 which we already fixed with a patch to the port. 

This is a confusing situation because I don't know if it would be possible for another consumer of libxslt to hit the same vulnerabilities that Chrome did.
Comment 9 Mark Felder freebsd_committer 2016-06-20 18:50:11 UTC
Debian appears to have patched their libxslt against these vulns that are supposedly due to Chrome's usage of the library:

https://www.debian.org/security/2016/dsa-3605

It would be wise to do the same then. We don't ship Chromium with an embedded libxslt as far as I can tell, so Chrome users are still vulnerable without this library being patched.
Comment 10 commit-hook freebsd_committer 2016-06-20 19:09:22 UTC
A commit references this bug:

Author: feld
Date: Mon Jun 20 19:08:32 UTC 2016
New revision: 417173
URL: https://svnweb.freebsd.org/changeset/ports/417173

Log:
  Update vuxml for libxslt vulnerabilities

  These vulnerabilities were previously reported by Google as they bundle
  libxslt with Chrome. When we patched Chromium to address these
  vulnerabilites it was overlooked that we do not bundle libxslt library
  with Chromium, but instead use textproc/libxslt. Chromium users have
  continued to be vulnerable to these CVEs as a result. This update fixes
  the Chromium CVE entry and adds a separate one for libxslt.

  PR:		210298
  Security:	CVE-2016-1683
  Security:	CVE-2016-1684

Changes:
  head/security/vuxml/vuln.xml
Comment 11 commit-hook freebsd_committer 2016-06-20 19:14:24 UTC
A commit references this bug:

Author: feld
Date: Mon Jun 20 19:13:44 UTC 2016
New revision: 417174
URL: https://svnweb.freebsd.org/changeset/ports/417174

Log:
  textproc/libxslt: Update to 1.1.29

  Changelog: https://git.gnome.org/browse/libxslt/commit/NEWS?id=9a1b3ddf6034aa2f6a30b4b7ea4bfc3c4037cd58

  Absent from the Changelog are the CVEs Google discovered, CVE-2016-1683
  and CVE-2016-1684. This library needs to be updated to ensure
  www/chromium is no longer vulnerable to these CVEs. Additionally the
  changelog notes a fix for CVE-2015-7995, but we solved that previously
  with a patch to the port.

  PR:		210298
  MFH:		2016Q2
  Security:	CVE-2016-1683
  Security:	CVE-2016-1684

Changes:
  head/textproc/libxslt/Makefile
  head/textproc/libxslt/distinfo
  head/textproc/libxslt/files/patch-CVE-2015-7995
  head/textproc/libxslt/files/patch-xsltproc_xsltproc.c
  head/textproc/libxslt/pkg-plist
Comment 12 commit-hook freebsd_committer 2016-06-20 19:15:27 UTC
A commit references this bug:

Author: feld
Date: Mon Jun 20 19:14:29 UTC 2016
New revision: 417175
URL: https://svnweb.freebsd.org/changeset/ports/417175

Log:
  MFH: r417174

  textproc/libxslt: Update to 1.1.29

  Changelog: https://git.gnome.org/browse/libxslt/commit/NEWS?id=9a1b3ddf6034aa2f6a30b4b7ea4bfc3c4037cd58

  Absent from the Changelog are the CVEs Google discovered, CVE-2016-1683
  and CVE-2016-1684. This library needs to be updated to ensure
  www/chromium is no longer vulnerable to these CVEs. Additionally the
  changelog notes a fix for CVE-2015-7995, but we solved that previously
  with a patch to the port.

  PR:		210298
  Security:	CVE-2016-1683
  Security:	CVE-2016-1684

  Approved by:	ports-secteam (with hat)

Changes:
_U  branches/2016Q2/
  branches/2016Q2/textproc/libxslt/Makefile
  branches/2016Q2/textproc/libxslt/distinfo
  branches/2016Q2/textproc/libxslt/files/patch-CVE-2015-7995
  branches/2016Q2/textproc/libxslt/files/patch-xsltproc_xsltproc.c
  branches/2016Q2/textproc/libxslt/pkg-plist