CVE-2017-5029

Name of the Vulnerable Software and Affected Versions libxslt version 1.1.29 Google Chrome versions prior to 57.0.2987.98 for Mac, Windows, and Linux Google Chrome version prior to 57.0.2987.108 for Android Nokogiri versions prior to 1.7.2

Description The issue is related to the xsltAddTextString function in transform.c in libxslt, which lacks a check for integer overflow during a size calculation. This allows a remote attacker to perform an out of bounds memory write via a crafted HTML page.

Recommendations For libxslt version 1.1.29, consider updating to a newer version that includes a fix for the integer overflow issue in the xsltAddTextString function. For Google Chrome versions prior to 57.0.2987.98 for Mac, Windows, and Linux, update to version 57.0.2987.98 or later. For Google Chrome version prior to 57.0.2987.108 for Android, update to version 57.0.2987.108 or later. For Nokogiri versions prior to 1.7.2, update to version 1.7.2 or later. As a temporary workaround, consider restricting the use of the xsltAddTextString function in libxslt until a patch is available.