Ubuntu 8.04 LTS / 10.04 LTS / 11.04 / 11.10 / 12.04 LTS : libxslt vulnerabilities (USN-1595-1)

Ubuntu Security Notice (C) 2012-2013 Canonical, Inc. / NASL script (C) 2012-2013 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing a security-related patch.

Description :

Chris Evans discovered that libxslt incorrectly handled generate-id
XPath functions. If a user or automated system were tricked into
processing a specially crafted XSLT document, a remote attacker could
obtain potentially sensitive information. This issue only affected
Ubuntu 8.04 LTS, Ubuntu 10.04 LTS and Ubuntu 11.04. (CVE-2011-1202)

It was discovered that libxslt incorrectly parsed certain patterns. If
a user or automated system were tricked into processing a specially
crafted XSLT document, a remote attacker could cause libxslt to crash,
causing a denial of service. (CVE-2011-3970)

Nicholas Gregoire discovered that libxslt incorrectly handled
unexpected DTD nodes. If a user or automated system were tricked into
processing a specially crafted XSLT document, a remote attacker could
cause libxslt to crash, causing a denial of service. (CVE-2012-2825)

Nicholas Gregoire discovered that libxslt incorrectly managed memory.
If a user or automated system were tricked into processing a specially
crafted XSLT document, a remote attacker could cause libxslt to crash,
causing a denial of service. (CVE-2012-2870)

Nicholas Gregoire discovered that libxslt incorrectly handled certain
transforms. If a user or automated system were tricked into processing
a specially crafted XSLT document, a remote attacker could cause
libxslt to crash, causing a denial of service, or possibly execute
arbitrary code. (CVE-2012-2871)

Cris Neckar discovered that libxslt incorrectly managed memory. If a
user or automated system were tricked into processing a specially
crafted XSLT document, a remote attacker could cause libxslt to crash,
causing a denial of service, or possibly execute arbitrary code.
(CVE-2012-2893).

Solution :

Update the affected libxslt1.1 package.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.9
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

Family: Ubuntu Local Security Checks

Nessus Plugin ID: 62435 ()

Bugtraq ID: 47668
51911
54203
55331
55676

CVE ID: CVE-2011-1202
CVE-2011-3970
CVE-2012-2825
CVE-2012-2870
CVE-2012-2871
CVE-2012-2893