projects / feed / packages.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ad6ed83)
libxslt: patch security issues 9561/head
authorJan Pavlinec <jan.pavlinec@nic.cz>
Wed, 24 Jul 2019 13:33:48 +0000 (15:33 +0200)
committerJan Pavlinec <jan.pavlinec@nic.cz>
Wed, 24 Jul 2019 13:36:56 +0000 (15:36 +0200)
Fixes:
CVE-2019-13117
CVE-2019-13118

Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
libs/libxslt/Makefile patch | blob | history
libs/libxslt/patches/101-fix-cve-2019-13117.patch [new file with mode: 0644] patch | blob
libs/libxslt/patches/102-fix-cve-2019-13118.patch [new file with mode: 0644] patch | blob

diff --git a/libs/libxslt/Makefile b/libs/libxslt/Makefile
index 795bf2a56008d9f0338041bdf52729607abcce5d..b31989e4a53b06bc210dacb462cb6ea6bfcdfb7c 100644 (file)
--- a/libs/libxslt/Makefile
+++ b/libs/libxslt/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=libxslt
 PKG_VERSION:=1.1.33
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:= \
diff --git a/libs/libxslt/patches/101-fix-cve-2019-13117.patch b/libs/libxslt/patches/101-fix-cve-2019-13117.patch
new file mode 100644 (file)
index 0000000..78ebb90
--- /dev/null
+++ b/libs/libxslt/patches/101-fix-cve-2019-13117.patch
@@ -0,0 +1,29 @@
+From c5eb6cf3aba0af048596106ed839b4ae17ecbcb1 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 27 Apr 2019 11:19:48 +0200
+Subject: [PATCH] Fix uninitialized read of xsl:number token
+
+Found by OSS-Fuzz.
+---
+ libxslt/numbers.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index 89e1f668..75c31eba 100644
+--- a/libxslt/numbers.c
++++ b/libxslt/numbers.c
+@@ -382,7 +382,10 @@ xsltNumberFormatTokenize(const xmlChar *format,
+               tokens->tokens[tokens->nTokens].token = val - 1;
+               ix += len;
+               val = xmlStringCurrentChar(NULL, format+ix, &len);
+-          }
++          } else {
++                tokens->tokens[tokens->nTokens].token = (xmlChar)'0';
++                tokens->tokens[tokens->nTokens].width = 1;
++            }
+       } else if ( (val == (xmlChar)'A') ||
+                   (val == (xmlChar)'a') ||
+                   (val == (xmlChar)'I') ||
+-- 
+2.21.0
+
diff --git a/libs/libxslt/patches/102-fix-cve-2019-13118.patch b/libs/libxslt/patches/102-fix-cve-2019-13118.patch
new file mode 100644 (file)
index 0000000..b377f4b
--- /dev/null
+++ b/libs/libxslt/patches/102-fix-cve-2019-13118.patch
@@ -0,0 +1,71 @@
+From 6ce8de69330783977dd14f6569419489875fb71b Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 3 Jun 2019 13:14:45 +0200
+Subject: [PATCH] Fix uninitialized read with UTF-8 grouping chars
+
+The character type in xsltFormatNumberConversion was too narrow and
+an invalid character/length combination could be passed to
+xsltNumberFormatDecimal, resulting in an uninitialized read.
+
+Found by OSS-Fuzz.
+---
+ libxslt/numbers.c         | 5 +++--
+ tests/docs/bug-222.xml    | 1 +
+ tests/general/bug-222.out | 2 ++
+ tests/general/bug-222.xsl | 6 ++++++
+ 4 files changed, 12 insertions(+), 2 deletions(-)
+ create mode 100644 tests/docs/bug-222.xml
+ create mode 100644 tests/general/bug-222.out
+ create mode 100644 tests/general/bug-222.xsl
+
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index f1ed8846..20b99d5a 100644
+--- a/libxslt/numbers.c
++++ b/libxslt/numbers.c
+@@ -1298,13 +1298,14 @@ OUTPUT_NUMBER:
+     number = floor((scale * number + 0.5)) / scale;
+     if ((self->grouping != NULL) &&
+         (self->grouping[0] != 0)) {
++        int gchar;
+       len = xmlStrlen(self->grouping);
+-      pchar = xsltGetUTF8Char(self->grouping, &len);
++      gchar = xsltGetUTF8Char(self->grouping, &len);
+       xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
+                               format_info.integer_digits,
+                               format_info.group,
+-                              pchar, len);
++                              gchar, len);
+     } else
+       xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
+                               format_info.integer_digits,
+diff --git a/tests/docs/bug-222.xml b/tests/docs/bug-222.xml
+new file mode 100644
+index 00000000..69d62f2c
+--- /dev/null
++++ b/tests/docs/bug-222.xml
+@@ -0,0 +1 @@
++<doc/>
+diff --git a/tests/general/bug-222.out b/tests/general/bug-222.out
+new file mode 100644
+index 00000000..e3139698
+--- /dev/null
++++ b/tests/general/bug-222.out
+@@ -0,0 +1,2 @@
++<?xml version="1.0"?>
++1⠢0
+diff --git a/tests/general/bug-222.xsl b/tests/general/bug-222.xsl
+new file mode 100644
+index 00000000..e32dc473
+--- /dev/null
++++ b/tests/general/bug-222.xsl
+@@ -0,0 +1,6 @@
++<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
++  <xsl:decimal-format name="f" grouping-separator="⠢"/>
++  <xsl:template match="/">
++    <xsl:value-of select="format-number(10,'#⠢0','f')"/>
++  </xsl:template>
++</xsl:stylesheet>
+-- 
+2.21.0
+
Mirror of packages feed