diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2019-12-24 12:53:57 +0100 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2019-12-24 12:55:31 +0100 |
| commit | 27b3948601965509fee472f606c59626221f5398 (patch) | |
| tree | ef096ec0ce857d872bb99e45cae78ac100ee30a5 /main | |
| parent | 336ed678178032d07a97fee172237315410e8d3c (diff) | |
main/libxslt: fix CVE-2019-13117, CVE-2019-13118
fixes #11074
Diffstat (limited to 'main')
| -rw-r--r-- | main/libxslt/APKBUILD | 11 | ||||
| -rw-r--r-- | main/libxslt/CVE-2019-13117.patch | 29 | ||||
| -rw-r--r-- | main/libxslt/CVE-2019-13118.patch | 71 |
3 files changed, 109 insertions, 2 deletions
diff --git a/main/libxslt/APKBUILD b/main/libxslt/APKBUILD index a4e3616ae6e..1d5c6413e5a 100644 --- a/main/libxslt/APKBUILD +++ b/main/libxslt/APKBUILD @@ -2,7 +2,7 @@ # Contributor: Francesco Colista <fcolista@alpinelinux.org> pkgname=libxslt pkgver=1.1.33 -pkgrel=2 +pkgrel=3 pkgdesc="XML stylesheet transformation library" url="http://xmlsoft.org/XSLT/" arch="all" @@ -12,10 +12,15 @@ subpackages="$pkgname-dev $pkgname-doc py2-$pkgname:py2" source="http://xmlsoft.org/sources/$pkgname-$pkgver.tar.gz CVE-2019-11068.patch CVE-2019-18197.patch + CVE-2019-13117.patch + CVE-2019-13118.patch " builddir="$srcdir/$pkgname-$pkgver" # secfixes: +# 1.1.33-r3: +# - CVE-2019-13117 +# - CVE-2019-13118 # 1.1.33-r2: # - CVE-2019-18197 # 1.1.33-r1: @@ -51,4 +56,6 @@ py2() { sha512sums="ebbe438a38bf6355950167d3b580edc22baa46a77068c18c42445c1c9c716d42bed3b30c5cd5bec359ab32d03843224dae458e9e32dc61693e7cf4bab23536e0 libxslt-1.1.33.tar.gz 9a97c5038809aaf64cb4eb7d67b95acc4b62236d7613a5f753e2a0f4c9e707c22cd07bda2e518d3f36a40b9ed5aa93496b743998c7adadb84ca147e045e35948 CVE-2019-11068.patch -ec0a7cd35f9078a3939ef6c695f183d9a0da5dd837d0a7f586b89a07c0c0782384501e4c1532b4d9ee7e94e717c37179f470bae59923d0074b309f09b5bf18fa CVE-2019-18197.patch" +ec0a7cd35f9078a3939ef6c695f183d9a0da5dd837d0a7f586b89a07c0c0782384501e4c1532b4d9ee7e94e717c37179f470bae59923d0074b309f09b5bf18fa CVE-2019-18197.patch +da6f4ddb5c698d2bfd03b7ee8d96001223759a142532e0a8cb77f66744575dcc02ecd0da5ce038b744e740f350060b73c596b9919df331d230d7c4d88a2b912a CVE-2019-13117.patch +0e8912db00e3eefbcb9ee6494aff769cd0764b2e05741ec381ca8b7f72ef3cd4d6125acf086cf79c04ebdbd5a4eebc18815fd7e42653fdbcc7c0e079a3da6482 CVE-2019-13118.patch" diff --git a/main/libxslt/CVE-2019-13117.patch b/main/libxslt/CVE-2019-13117.patch new file mode 100644 index 00000000000..99466495d67 --- /dev/null +++ b/main/libxslt/CVE-2019-13117.patch @@ -0,0 +1,29 @@ +From c5eb6cf3aba0af048596106ed839b4ae17ecbcb1 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Sat, 27 Apr 2019 11:19:48 +0200 +Subject: [PATCH] Fix uninitialized read of xsl:number token + +Found by OSS-Fuzz. +--- + libxslt/numbers.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/libxslt/numbers.c b/libxslt/numbers.c +index 89e1f668..75c31eba 100644 +--- a/libxslt/numbers.c ++++ b/libxslt/numbers.c +@@ -382,7 +382,10 @@ xsltNumberFormatTokenize(const xmlChar *format, + tokens->tokens[tokens->nTokens].token = val - 1; + ix += len; + val = xmlStringCurrentChar(NULL, format+ix, &len); +- } ++ } else { ++ tokens->tokens[tokens->nTokens].token = (xmlChar)'0'; ++ tokens->tokens[tokens->nTokens].width = 1; ++ } + } else if ( (val == (xmlChar)'A') || + (val == (xmlChar)'a') || + (val == (xmlChar)'I') || +-- +2.24.1 + diff --git a/main/libxslt/CVE-2019-13118.patch b/main/libxslt/CVE-2019-13118.patch new file mode 100644 index 00000000000..c597fe48b20 --- /dev/null +++ b/main/libxslt/CVE-2019-13118.patch @@ -0,0 +1,71 @@ +From 6ce8de69330783977dd14f6569419489875fb71b Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Mon, 3 Jun 2019 13:14:45 +0200 +Subject: [PATCH] Fix uninitialized read with UTF-8 grouping chars + +The character type in xsltFormatNumberConversion was too narrow and +an invalid character/length combination could be passed to +xsltNumberFormatDecimal, resulting in an uninitialized read. + +Found by OSS-Fuzz. +--- + libxslt/numbers.c | 5 +++-- + tests/docs/bug-222.xml | 1 + + tests/general/bug-222.out | 2 ++ + tests/general/bug-222.xsl | 6 ++++++ + 4 files changed, 12 insertions(+), 2 deletions(-) + create mode 100644 tests/docs/bug-222.xml + create mode 100644 tests/general/bug-222.out + create mode 100644 tests/general/bug-222.xsl + +diff --git a/libxslt/numbers.c b/libxslt/numbers.c +index f1ed8846..20b99d5a 100644 +--- a/libxslt/numbers.c ++++ b/libxslt/numbers.c +@@ -1298,13 +1298,14 @@ OUTPUT_NUMBER: + number = floor((scale * number + 0.5)) / scale; + if ((self->grouping != NULL) && + (self->grouping[0] != 0)) { ++ int gchar; + + len = xmlStrlen(self->grouping); +- pchar = xsltGetUTF8Char(self->grouping, &len); ++ gchar = xsltGetUTF8Char(self->grouping, &len); + xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0], + format_info.integer_digits, + format_info.group, +- pchar, len); ++ gchar, len); + } else + xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0], + format_info.integer_digits, +diff --git a/tests/docs/bug-222.xml b/tests/docs/bug-222.xml +new file mode 100644 +index 00000000..69d62f2c +--- /dev/null ++++ b/tests/docs/bug-222.xml +@@ -0,0 +1 @@ ++<doc/> +diff --git a/tests/general/bug-222.out b/tests/general/bug-222.out +new file mode 100644 +index 00000000..e3139698 +--- /dev/null ++++ b/tests/general/bug-222.out +@@ -0,0 +1,2 @@ ++<?xml version="1.0"?> ++1⠢0 +diff --git a/tests/general/bug-222.xsl b/tests/general/bug-222.xsl +new file mode 100644 +index 00000000..e32dc473 +--- /dev/null ++++ b/tests/general/bug-222.xsl +@@ -0,0 +1,6 @@ ++<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0"> ++ <xsl:decimal-format name="f" grouping-separator="⠢"/> ++ <xsl:template match="/"> ++ <xsl:value-of select="format-number(10,'#⠢0','f')"/> ++ </xsl:template> ++</xsl:stylesheet> +-- +2.24.1 + |