SB2011031101 - Information disclosure in Techland Chrome
Published: March 11, 2011 Updated: July 24, 2020
Security Bulletin ID
SB2011031101
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Information disclosure (CVE-ID: CVE-2011-1202)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The xsltGenerateIdFunction function in functions.c in libxslt 1.1.26 and earlier, as used in Google Chrome before 10.0.648.127 and other products, allows remote attackers to obtain potentially sensitive information about heap memory addresses via an XML document containing a call to the XSLT generate-id XPath function.
Remediation
Install update from vendor's website.
References
- http://code.google.com/p/chromium/issues/detail?id=73716
- http://downloads.avaya.com/css/P8/documents/100144158
- http://git.gnome.org/browse/libxslt/commit/?id=ecb6bcb8d1b7e44842edde3929f412d46b40c89f
- http://googlechromereleases.blogspot.com/2011/03/chrome-stable-release.html
- http://scarybeastsecurity.blogspot.com/2011/03/multi-browser-heap-address-leak-in-xslt.html
- http://www.mandriva.com/security/advisories?name=MDVSA-2011:079
- http://www.mandriva.com/security/advisories?name=MDVSA-2012:164
- http://www.securityfocus.com/bid/46785
- http://www.vupen.com/english/advisories/2011/0628
- https://bugzilla.redhat.com/show_bug.cgi?id=684386
- https://exchange.xforce.ibmcloud.com/vulnerabilities/65966
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14244