libxslt 1.1.24 local crash

2013.11.06
Credit: Marcus
Risk: Medium
Local: Yes
Remote: No


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

Our QA found that the reproducer in CVE-2012-2825 (magic.xsl and magic.xml) also expose another libxslt crash in older libxslt versions. https://bugzilla.novell.com/show_bug.cgi?id=849019 This bug was fixed in libxslt 1.1.25 with this commit: https://gitorious.org/libxslt/libxslt/commit/7089a62b8f133b42a2981cf1f920a8b3fe9a8caa /* 4945 4947 * This is an element which will be output as part of the 4946 4948 * template exectution, precompile AVT if found. 4947 4949 */ 4948 if ((cur->ns == NULL) && (style->defaultAlias != NULL) && 4949 (cur->type == XML_ELEMENT_NODE)) { 4950 if ((cur->ns == NULL) && (style->defaultAlias != NULL)) { 4950 4951 cur->ns = xmlSearchNsByHref(cur->doc, cur, 4951 4952 style->defaultAlias); 4952 4953 } commit 7089a62b8f133b42a2981cf1f920a8b3fe9a8caa Author: Martin <gzlist () googlemail com> Date: Wed Sep 16 19:02:16 2009 +0200 Crash compiling stylesheet with DTD * libxslt/xslt.c: when a stylesheet embbeds a DTD the compilation process could get seriously wrong Crash as a xmlDtd struct is accessed as a xmlNode, not really attacker controllable I would say, but a denial of service (crash). Ciao, Marcus

References:

http://cxsecurity.com/issue/WLB-2013030217
https://gitorious.org/libxslt/libxslt/commit/7089a62b8f133b42a2981cf1f920a8b3fe9a8caa


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top