USN-1358-1 missing NEWS entry about XSLT write operations disabled by default

Bug #931342 reported by Rafal Skucha on 2012-02-13
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
php5 (Ubuntu)
Undecided
Unassigned

Bug Description

After upgrading to php5-xsl 5.3.6-13ubuntu3.5 I'm getting
PHP Warning: XSLTProcessor::transformToXml(): runtime error
and
PHP Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for /var/www/xxxxx.php denied in /var/www/yyyyy.php on line ....

Everything works fine after downgrading plus all file access permissions are fine.

CVE References

Ondřej Surý (ondrej) wrote :

http://www.ubuntu.com/usn/usn-1358-1/

It was discovered that PHP did not properly enforce libxslt security
settings. This could allow a remote attacker to create arbitrary
files via a crafted XSLT stylesheet that uses the libxslt output
extension. (CVE-2012-0057)

I think Steve missed adding few notes to debian/NEWS (from Debian security update):

  * The following new directives were added as part of security fixes:
    - max_input_vars - specifies how many GET/POST/COOKIE input variables
      may be accepted. Default value is set to 1000.
    - xsl.security_prefs - define forbidden operations within XSLT
      stylesheets. Write operations are now disabled by default.

summary: - XSLTProcessor::transformToXml(): runtime error
+ USN-1358-1 missing NEWS entry about XSLT write operations disabled by
+ default
Changed in php5 (Ubuntu):
status: New → Confirmed
Ondřej Surý (ondrej) wrote :

i.e. it's a feature (and there's nothing wrong), but it wasn't properly announced in the USN.

Keilo (keilo) wrote :

The fix is to set xsl.security_prefs = 0 in php.ini

If anyone else comes across this issue after upgrading php, more info here: https://bugs.php.net/bug.php?id=54446

Marc Deslauriers (mdeslaur) wrote :

Thanks for reporting this issue, as you have determined, the security fix changed the default behaviour.

I am closing this bug now as there is no further action to take. Thanks.

Changed in php5 (Ubuntu):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.