#12209: Fix CVE-2019-11068 in libxslt (Security Framework Bypass)
-------------------------+-----------------------
Reporter: renodr | Owner: blfs-book
Type: enhancement | Status: new
Priority: high | Milestone: 8.5
Component: BOOK | Version: SVN
Severity: normal | Keywords:
-------------------------+-----------------------
I noticed a Debian Security Update for this on one of my debian machines,
and thought it was worth a look into. After finding it, I came across
this:
[https://nvd.nist.gov/vuln/detail/CVE-2019-11068]
{{{
libxslt through 1.1.33 allows bypass of a protection mechanism because
callers of xsltCheckRead and xsltCheckWrite permit access even upon
receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL
that is not actually invalid and is subsequently loaded.
}}}
We need to apply the following commit:
[https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6]
Although the rest of the commits in the libxslt repo from the release of
libxslt-1.1.33 onwards seem to be security related, so we might just want
to create a consolidated patch. Mostly integer overflows it looks like.
--
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/12209>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
--
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
