libxslt: Execution of arbitrary code
Gentoo Linux Security Advisory
||GLSA 200808-06 / libxslt
||August 06, 2008
||August 06, 2008: 01
All supported architectures
libxslt is affected by a heap-based buffer overflow, possibly leading to
the execution of arbitrary code.
libxslt is the XSLT C library developed for the GNOME project. XSLT is
an XML language to define transformations for XML.
Chris Evans (Google Security) reported that the libexslt library that
is part of libxslt is affected by a heap-based buffer overflow in the
RC4 encryption/decryption functions.
A remote attacker could entice a user to process an XML file using a
specially crafted XSLT stylesheet in an application linked against
libxslt, possibly leading to the execution of arbitrary code with the
privileges of the user running the application.
There is no known workaround at this time.
All libxslt users should upgrade to the latest version:
Code Listing 3.1: Resolution
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/libxslt-1.1.24-r1"