libxslt XSL Parsing Flaws Let Remote Users Deny Service
|
SecurityTracker Alert ID: 1028338 |
SecurityTracker URL: http://securitytracker.com/id/1028338
|
CVE Reference:
CVE-2012-6139
(Links to External Site)
|
Date: Mar 25 2013
|
Impact:
Denial of service via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): prior to 1.1.28
|
Description:
A vulnerability was reported in libxslt. A remote user can cause denial of service conditions.
A remote user can send an XSL template with an empty 'match' attribute to trigger a crash in the xsltDocumentFunction() function in 'libxslt/functions.c'.
A remote user can send specially crafted XSL keys to trigger a null pointer dereference in the xsltAddKey() function in 'libxslt/keys.c'.
|
Impact:
A remote user can cause libxslt to crash.
|
Solution:
The vendor has issued a fix (1.1.28).
The source code fixes are also available at:
http://git.gnome.org/browse/libxslt/commit/?id=dc11b6b379a882418093ecc8adf11f6166682e8d
http://git.gnome.org/browse/libxslt/commit/?id=6c99c519d97e5fcbec7a9537d190efb442e4e833
|
Vendor URL: xmlsoft.org/XSLT/ (Links to External Site)
|
Cause:
Access control error, Input validation error
|
Underlying OS: Linux (Any), UNIX (Any)
|
|
Message History:
None.
|
Source Message Contents
|
|
[Original Message Not Available for Viewing]
|
|