National Cyber Awareness System

Vulnerability Summary for CVE-2011-1425

Overview

xslt.c in XML Security Library (aka xmlsec) before 1.2.17, as used in WebKit and other products, when XSLT is enabled, allows remote attackers to create or overwrite arbitrary files via vectors involving the libxslt output extension and a ds:Transform element during signature verification.

Impact

CVSS Severity (version 2.0):

CVSS Version 2 Metrics:

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

External Source: CONFIRM

Name: https://bugzilla.redhat.com/show_bug.cgi?id=692133

Type: Patch Information

Hyperlink:https://bugzilla.redhat.com/show_bug.cgi?id=692133

External Source: MLIST

Name: [xmlsec] 20110331 New xmlsec 1.2.17 release

Type: Patch Information

Hyperlink:http://www.aleksey.com/pipermail/xmlsec/2011/009120.html

External Source: CONFIRM

Name: http://git.gnome.org/browse/xmlsec/commit/?id=35eaacde6093d6711339754fc2146341b8b9f5fa

Type: Patch Information

Hyperlink:http://git.gnome.org/browse/xmlsec/commit/?id=35eaacde6093d6711339754fc2146341b8b9f5fa

External Source: CONFIRM

Name: http://git.gnome.org/browse/xmlsec/commit/?id=2d5eddcc4163ea050cf3a3a1a25452bb5124f780

Type: Patch Information

Hyperlink:http://git.gnome.org/browse/xmlsec/commit/?id=2d5eddcc4163ea050cf3a3a1a25452bb5124f780

External Source: CONFIRM

Name: https://bugs.webkit.org/show_bug.cgi?id=52688

Hyperlink:https://bugs.webkit.org/show_bug.cgi?id=52688

External Source: XF

Name: xmlsecurity-xmlfiles-sec-bypass(66506)

Hyperlink:http://xforce.iss.net/xforce/xfdb/66506

External Source: VUPEN

Name: ADV-2011-1172

Hyperlink:http://www.vupen.com/english/advisories/2011/1172

External Source: VUPEN

Name: ADV-2011-1010

Hyperlink:http://www.vupen.com/english/advisories/2011/1010

External Source: VUPEN

Name: ADV-2011-0858

Hyperlink:http://www.vupen.com/english/advisories/2011/0858

External Source: VUPEN

Name: ADV-2011-0855

Hyperlink:http://www.vupen.com/english/advisories/2011/0855

External Source: SECTRACK

Name: 1025284

Hyperlink:http://www.securitytracker.com/id?1025284

External Source: BID

Name: 47135

Hyperlink:http://www.securityfocus.com/bid/47135

External Source: REDHAT

Name: RHSA-2011:0486

Hyperlink:http://www.redhat.com/support/errata/RHSA-2011-0486.html

External Source: MANDRIVA

Name: MDVSA-2011:063

Hyperlink:http://www.mandriva.com/security/advisories?name=MDVSA-2011:063

External Source: DEBIAN

Name: DSA-2219

Hyperlink:http://www.debian.org/security/2011/dsa-2219

External Source: CONFIRM

Name: http://trac.webkit.org/changeset/79159

Hyperlink:http://trac.webkit.org/changeset/79159

External Source: SECUNIA

Name: 44423

Hyperlink:http://secunia.com/advisories/44423

External Source: SECUNIA

Name: 44167

Hyperlink:http://secunia.com/advisories/44167

External Source: SECUNIA

Name: 43920

Type: Advisory

Hyperlink:http://secunia.com/advisories/43920