Vigil@nce: libxslt, buffer overflow via Namespace
October 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use XSLT data with a Namespace selection, in order
to stop applications linked to libxslt, and possibly to execute
code.
– Impacted products: Fedora, RHEL, Unix (platform)
– Severity: 2/4
– Creation date: 14/09/2012
DESCRIPTION OF THE VULNERABILITY
The libxslt library processes XSLT transformations to be applied
on an XML document.
A transformation can select nodes via "namespace::*". However, in
this case, the xsltApplyTemplates() function of file
libxslt/transform.c uses an invalid pointer to a child node. An
overflow then occurs in the function xmlUnlinkNode().
An attacker can therefore use XSLT data with a Namespace
selection, in order to stop applications linked to libxslt, and
possibly to execute code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/libxslt-buffer-overflow-via-Namespace-11946