Buffer overflow in pattern.c in libxslt before 1.1.24 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via an XSL style sheet file with a long XSLT "transformation match" condition that triggers a large number of steps.

From Red Hat Security Advisory 2008:0287 :

Updated libxslt packages that fix a security issue are now available.

This update has been rated as having important security impact by the Red Hat Security Response Team.

libxslt is a C library, based on libxml, for parsing of XML files into other textual formats (eg HTML, plain text and other XML representations of the underlying data) It uses the standard XSLT stylesheet transformation mechanism and, being written in plain ANSI C, is designed to be simple to incorporate into other applications

Anthony de Almeida Lopes reported the libxslt library did not properly process long 'transformation match' conditions in the XSL stylesheet files. An attacker could create a malicious XSL file that would cause a crash, or, possibly, execute and arbitrary code with the privileges of the application using libxslt library to perform XSL transformations. (CVE-2008-1767)

All users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue.

Anthony de Almeida Lopes reported the libxslt library did not properly process long 'transformation match' conditions in the XSL stylesheet files. An attacker could create a malicious XSL file that would cause a crash, or, possibly, execute and arbitrary code with the privileges of the application using libxslt library to perform XSL transformations. (CVE-2008-1767)

A libxslt XSL-match processing overflow has been fixed. CVE-2008-1767 has been assigned to this issue.

A buffer overflow vulnerability in libxslt could be exploited via an XSL style sheet file with a long XLST transformation match condition, which could possibly lead to the execution of arbitrary code (CVE-2008-1767).

The updated packages have been patched to correct this issue.

The version of Safari installed on the remote Windows host is earlier than 3.2.  Such versions are potentially affected by several issues : 


  - Safari includes a version of zlib that is affected by multiple vulnerabilities. (CVE-2005-2096)
  - A heap buffer overflow issue in the libxslt library could lead to a crash or arbitrary code execution. (CVE-2008-1767)
  - A signedness issue in Safari's handling of JavaScript array indices could lead to a crash or arbitrary code execution. (CVE-2008-2303)
  - A memory corruption issue in WebCore's handling of style sheet elements could lead to a crash or arbitrary code execution. (CVE-2008-2317)
  - Multiple uninitialized memory access issues in libTIFF's handling of LZW-encoded TIFF images could lead to a crash or arbitrary code execution. (CVE-2008-2327)
  - A memory corruption issue in ImageIO's handling of TIFF images could lead to a crash or arbitrary code execution. (CVE-2008-2332).
  - A memory corruption issue in ImageIO's handling of embedded ICC profiles in JPEG images could lead to a crash or arbitrary code execution. (CVE-2008-3608)
  - A heap buffer overflow in CoreGraphics' handling of color spaces could lead to a crash or arbitrary code execution. (CVE-2008-3623)
  - A buffer overflow in the handling of images with an embedded ICC profile could lead to a crash or arbitrary code execution. (CVE-2008-3642)
  - Disabling autocomplete on a form field may not prevent the data in the field from being stored in the browser page cache. (CVE-2008-3644)
  - WebKit's plug-in interface does not block plug-ins from launching local URLs, which could allow a remote attacker to launch local files in Safari and lead to the disclosure of sensitive information. (CVE-2008-4216)

The version of Safari installed on the remote Windows host is earlier than 3.2.  Such versions are potentially affected by several issues :

  - Safari includes a version of zlib that is affected by     multiple vulnerabilities. (CVE-2005-2096)

  - A heap-based buffer overflow issue in the libxslt library     could lead to a crash or arbitrary code execution.
    (CVE-2008-1767)

  - A signedness issue in Safari's handling of JavaScript     array indices could lead to a crash or arbitrary code     execution. (CVE-2008-2303)

  - A memory corruption issue in WebCore's handling of style     sheet elements could lead to a crash or arbitrary code     execution. (CVE-2008-2317)

  - Multiple uninitialized memory access issues in libTIFF's     handling of LZW-encoded TIFF images could lead to a     crash or arbitrary code execution. (CVE-2008-2327)

  - A memory corruption issue in ImageIO's handling of TIFF     images could lead to a crash or arbitrary code     execution. (CVE-2008-2332).

  - A memory corruption issue in ImageIO's handling of     embedded ICC profiles in JPEG images could lead to a     crash or arbitrary code execution. (CVE-2008-3608)

  - A heap-based buffer overflow in CoreGraphics' handling     of color spaces could lead to a crash or arbitrary code     execution. (CVE-2008-3623)

  - A buffer overflow in the handling of images with an     embedded ICC profile could lead to a crash or arbitrary     code execution. (CVE-2008-3642)

  - Disabling autocomplete on a form field may not prevent     the data in the field from being stored in the browser     page cache. (CVE-2008-3644)

  - WebKit's plug-in interface does not block plug-ins from     launching local URLs, which could allow a remote     attacker to launch local files in Safari and lead to the     disclosure of sensitive information. (CVE-2008-4216)

The remote host is running a version of Mac OS X 10.5 or 10.4 that does not have the security update 2008-007 applied. 

This security update contains fixes for the following products :

  - Apache
  - Certificates
  - ClamAV
  - ColorSync
  - CUPS
  - Finder
  - launchd
  - libxslt
  - MySQL Server
  - Networking
  - PHP
  - Postfix
  - PSNormalizer
  - QuickLook
  - rlogin
  - Script Editor
  - Single Sign-On
  - Tomcat
  - vim
  - Weblog

It was discovered that long transformation matches in libxslt could overflow. If an attacker were able to make an application linked against libxslt process malicious XSL style sheet input, they could execute arbitrary code with user privileges or cause the application to crash, leading to a denial of serivce. (CVE-2008-1767)

Chris Evans discovered that the RC4 processing code in libxslt did not correctly handle corrupted key information. If a remote attacker were able to make an application linked against libxslt process malicious XML input, they could crash the application, leading to a denial of service. (CVE-2008-2935).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New libxslt packages are available for Slackware 12.0, 12.1, and
-current to fix a security issue.

The remote host is affected by the vulnerability described in GLSA-200806-02 (libxslt: Execution of arbitrary code)

    Anthony de Almeida Lopes reported a vulnerability in libxslt when     handling XSL style-sheet files, which could be exploited to trigger the     use of uninitialized memory, e.g. in a call to 'free()'.
  Impact :

    A remote attacker could entice a user or automated system to process an     XML file using a specially crafted XSL transformation file, possibly     resulting in the execution of arbitrary code or a Denial of Service.
  Workaround :

    There is no known workaround at this time.

It was discovered that libxslt, an XSLT processing runtime library, could be coerced into executing arbitrary code via a buffer overflow when an XSL style sheet file with a long XSLT 'transformation match' condition triggered a large number of steps.

Updated libxslt packages that fix a security issue are now available.

This update has been rated as having important security impact by the Red Hat Security Response Team.

libxslt is a C library, based on libxml, for parsing of XML files into other textual formats (eg HTML, plain text and other XML representations of the underlying data) It uses the standard XSLT stylesheet transformation mechanism and, being written in plain ANSI C, is designed to be simple to incorporate into other applications

Anthony de Almeida Lopes reported the libxslt library did not properly process long 'transformation match' conditions in the XSL stylesheet files. An attacker could create a malicious XSL file that would cause a crash, or, possibly, execute and arbitrary code with the privileges of the application using libxslt library to perform XSL transformations. (CVE-2008-1767)

All users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue.

The version of Safari installed on the remote Windows host is earlier than 3.2.  Such versions are potentially affected by several issues : 


  - Safari includes a version of zlib that is affected by multiple vulnerabilities. (CVE-2005-2096)
  - A heap buffer overflow issue in the libxslt library could lead to a crash or arbitrary code execution. (CVE-2008-1767)
  - A signedness issue in Safari's handling of JavaScript array indices could lead to a crash or arbitrary code execution. (CVE-2008-2303)
  - A memory corruption issue in WebCore's handling of style sheet elements could lead to a crash or arbitrary code execution. (CVE-2008-2317)
  - Multiple uninitialized memory access issues in libTIFF's handling of LZW-encoded TIFF images could lead to a crash or arbitrary code execution. (CVE-2008-2327)
  - A memory corruption issue in ImageIO's handling of TIFF images could lead to a crash or arbitrary code execution. (CVE-2008-2332).
  - A memory corruption issue in ImageIO's handling of embedded ICC profiles in JPEG images could lead to a crash or arbitrary code execution. (CVE-2008-3608)
  - A heap buffer overflow in CoreGraphics' handling of color spaces could lead to a crash or arbitrary code execution. (CVE-2008-3623)
  - A buffer overflow in the handling of images with an embedded ICC profile could lead to a crash or arbitrary code execution. (CVE-2008-3642)
  - Disabling autocomplete on a form field may not prevent the data in the field from being stored in the browser page cache. (CVE-2008-3644)
  - WebKit's plug-in interface does not block plug-ins from launching local URLs, which could allow a remote attacker to launch local files in Safari and lead to the disclosure of sensitive information. (CVE-2008-4216)

 
IAVB Reference : 2008-B-0078
STIG Finding Severity : Category I

ID	Name	Product	Family	Severity
67692	Oracle Linux 3 / 4 / 5 : libxslt (ELSA-2008-0287)	Nessus	Oracle Linux Local Security Checks	high
60405	Scientific Linux Security Update : libxslt on SL3.x, SL4.x, SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
41218	SuSE9 Security Update : libxslt (YOU Patch Number 12184)	Nessus	SuSE Local Security Checks	high
37284	Mandriva Linux Security Advisory : libxslt (MDVSA-2008:151)	Nessus	Mandriva Local Security Checks	high
4754	Safari < 3.2 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	high
34772	Safari < 3.2 Multiple Vulnerabilities	Nessus	Windows	high
34374	Mac OS X Multiple Vulnerabilities (Security Update 2008-007)	Nessus	MacOS X Local Security Checks	critical
33808	Ubuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : libxslt vulnerabilities (USN-633-1)	Nessus	Ubuntu Local Security Checks	high
33748	Slackware 12.0 / 12.1 / current : libxslt (SSA:2008-210-03)	Nessus	Slackware Local Security Checks	high
33196	SuSE 10 Security Update : libxslt (ZYPP Patch Number 5343)	Nessus	SuSE Local Security Checks	high
33195	openSUSE 10 Security Update : libxslt (libxslt-5263)	Nessus	SuSE Local Security Checks	high
33085	GLSA-200806-02 : libxslt: Execution of arbitrary code	Nessus	Gentoo Local Security Checks	high
32457	Debian DSA-1589-1 : libxslt - buffer overflow	Nessus	Debian Local Security Checks	high
32421	RHEL 2.1 / 3 / 4 / 5 : libxslt (RHSA-2008:0287)	Nessus	Red Hat Local Security Checks	high
32401	CentOS 3 / 4 / 5 : libxslt (CESA-2008:0287)	Nessus	CentOS Local Security Checks	high
801019	Safari < 3.2 Multiple Vulnerabilities	Log Correlation Engine	Web Clients	high

Detections

Analytics

CVE-2008-1767

critical

Tenable Plugins

high

high

high

high

high

high

critical

high

high

high

high

high

high

high

high

high