From 8b08cfbafba84226c871940af7b453a487f0a0bb Mon Sep 17 00:00:00 2001
From: Gwyn Ciesla <gwync@protonmail.com>
Date: Mon, 9 Mar 2020 16:43:28 -0500
Subject: [PATCH] 1.1.34

---
 CVE-2019-11068.patch | 120 -------------------------------------------
 CVE-2019-13117.patch |  30 -----------
 CVE-2019-13118.patch |  72 --------------------------
 libxslt.spec         |  13 ++---
 sources              |   2 +-
 5 files changed, 6 insertions(+), 231 deletions(-)
 delete mode 100644 CVE-2019-11068.patch
 delete mode 100644 CVE-2019-13117.patch
 delete mode 100644 CVE-2019-13118.patch

diff --git a/CVE-2019-11068.patch b/CVE-2019-11068.patch
deleted file mode 100644
index db0de8a..0000000
--- a/CVE-2019-11068.patch
+++ /dev/null
@@ -1,120 +0,0 @@
-From e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Sun, 24 Mar 2019 09:51:39 +0100
-Subject: [PATCH] Fix security framework bypass
-
-xsltCheckRead and xsltCheckWrite return -1 in case of error but callers
-don't check for this condition and allow access. With a specially
-crafted URL, xsltCheckRead could be tricked into returning an error
-because of a supposedly invalid URL that would still be loaded
-succesfully later on.
-
-Fixes #12.
-
-Thanks to Felix Wilhelm for the report.
----
- libxslt/documents.c | 18 ++++++++++--------
- libxslt/imports.c   |  9 +++++----
- libxslt/transform.c |  9 +++++----
- libxslt/xslt.c      |  9 +++++----
- 4 files changed, 25 insertions(+), 20 deletions(-)
-
-diff --git a/libxslt/documents.c b/libxslt/documents.c
-index 3f3a7312..4aad11bb 100644
---- a/libxslt/documents.c
-+++ b/libxslt/documents.c
-@@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) {
- 	int res;
- 
- 	res = xsltCheckRead(ctxt->sec, ctxt, URI);
--	if (res == 0) {
--	    xsltTransformError(ctxt, NULL, NULL,
--		 "xsltLoadDocument: read rights for %s denied\n",
--			     URI);
-+	if (res <= 0) {
-+            if (res == 0)
-+                xsltTransformError(ctxt, NULL, NULL,
-+                     "xsltLoadDocument: read rights for %s denied\n",
-+                                 URI);
- 	    return(NULL);
- 	}
-     }
-@@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) {
- 	int res;
- 
- 	res = xsltCheckRead(sec, NULL, URI);
--	if (res == 0) {
--	    xsltTransformError(NULL, NULL, NULL,
--		 "xsltLoadStyleDocument: read rights for %s denied\n",
--			     URI);
-+	if (res <= 0) {
-+            if (res == 0)
-+                xsltTransformError(NULL, NULL, NULL,
-+                     "xsltLoadStyleDocument: read rights for %s denied\n",
-+                                 URI);
- 	    return(NULL);
- 	}
-     }
-diff --git a/libxslt/imports.c b/libxslt/imports.c
-index 874870cc..3783b247 100644
---- a/libxslt/imports.c
-+++ b/libxslt/imports.c
-@@ -130,10 +130,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) {
- 	int secres;
- 
- 	secres = xsltCheckRead(sec, NULL, URI);
--	if (secres == 0) {
--	    xsltTransformError(NULL, NULL, NULL,
--		 "xsl:import: read rights for %s denied\n",
--			     URI);
-+	if (secres <= 0) {
-+            if (secres == 0)
-+                xsltTransformError(NULL, NULL, NULL,
-+                     "xsl:import: read rights for %s denied\n",
-+                                 URI);
- 	    goto error;
- 	}
-     }
-diff --git a/libxslt/transform.c b/libxslt/transform.c
-index 13793914..0636dbd0 100644
---- a/libxslt/transform.c
-+++ b/libxslt/transform.c
-@@ -3493,10 +3493,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node,
-      */
-     if (ctxt->sec != NULL) {
- 	ret = xsltCheckWrite(ctxt->sec, ctxt, filename);
--	if (ret == 0) {
--	    xsltTransformError(ctxt, NULL, inst,
--		 "xsltDocumentElem: write rights for %s denied\n",
--			     filename);
-+	if (ret <= 0) {
-+            if (ret == 0)
-+                xsltTransformError(ctxt, NULL, inst,
-+                     "xsltDocumentElem: write rights for %s denied\n",
-+                                 filename);
- 	    xmlFree(URL);
- 	    xmlFree(filename);
- 	    return;
-diff --git a/libxslt/xslt.c b/libxslt/xslt.c
-index 780a5ad7..a234eb79 100644
---- a/libxslt/xslt.c
-+++ b/libxslt/xslt.c
-@@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) {
- 	int res;
- 
- 	res = xsltCheckRead(sec, NULL, filename);
--	if (res == 0) {
--	    xsltTransformError(NULL, NULL, NULL,
--		 "xsltParseStylesheetFile: read rights for %s denied\n",
--			     filename);
-+	if (res <= 0) {
-+            if (res == 0)
-+                xsltTransformError(NULL, NULL, NULL,
-+                     "xsltParseStylesheetFile: read rights for %s denied\n",
-+                                 filename);
- 	    return(NULL);
- 	}
-     }
--- 
-2.21.0
-
diff --git a/CVE-2019-13117.patch b/CVE-2019-13117.patch
deleted file mode 100644
index 139edbd..0000000
--- a/CVE-2019-13117.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From c5eb6cf3aba0af048596106ed839b4ae17ecbcb1 Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Sat, 27 Apr 2019 11:19:48 +0200
-Subject: [PATCH] Fix uninitialized read of xsl:number token
-
-Found by OSS-Fuzz.
----
- libxslt/numbers.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/libxslt/numbers.c b/libxslt/numbers.c
-index 89e1f668..75c31eba 100644
---- a/libxslt/numbers.c
-+++ b/libxslt/numbers.c
-@@ -382,7 +382,10 @@ xsltNumberFormatTokenize(const xmlChar *format,
- 		tokens->tokens[tokens->nTokens].token = val - 1;
- 		ix += len;
- 		val = xmlStringCurrentChar(NULL, format+ix, &len);
--	    }
-+	    } else {
-+                tokens->tokens[tokens->nTokens].token = (xmlChar)'0';
-+                tokens->tokens[tokens->nTokens].width = 1;
-+            }
- 	} else if ( (val == (xmlChar)'A') ||
- 		    (val == (xmlChar)'a') ||
- 		    (val == (xmlChar)'I') ||
--- 
-2.22.0
-
-
diff --git a/CVE-2019-13118.patch b/CVE-2019-13118.patch
deleted file mode 100644
index 7b8e4d3..0000000
--- a/CVE-2019-13118.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-From 6ce8de69330783977dd14f6569419489875fb71b Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Mon, 3 Jun 2019 13:14:45 +0200
-Subject: [PATCH] Fix uninitialized read with UTF-8 grouping chars
-
-The character type in xsltFormatNumberConversion was too narrow and
-an invalid character/length combination could be passed to
-xsltNumberFormatDecimal, resulting in an uninitialized read.
-
-Found by OSS-Fuzz.
----
- libxslt/numbers.c         | 5 +++--
- tests/docs/bug-222.xml    | 1 +
- tests/general/bug-222.out | 2 ++
- tests/general/bug-222.xsl | 6 ++++++
- 4 files changed, 12 insertions(+), 2 deletions(-)
- create mode 100644 tests/docs/bug-222.xml
- create mode 100644 tests/general/bug-222.out
- create mode 100644 tests/general/bug-222.xsl
-
-diff --git a/libxslt/numbers.c b/libxslt/numbers.c
-index f1ed8846..20b99d5a 100644
---- a/libxslt/numbers.c
-+++ b/libxslt/numbers.c
-@@ -1298,13 +1298,14 @@ OUTPUT_NUMBER:
-     number = floor((scale * number + 0.5)) / scale;
-     if ((self->grouping != NULL) &&
-         (self->grouping[0] != 0)) {
-+        int gchar;
- 
- 	len = xmlStrlen(self->grouping);
--	pchar = xsltGetUTF8Char(self->grouping, &len);
-+	gchar = xsltGetUTF8Char(self->grouping, &len);
- 	xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
- 				format_info.integer_digits,
- 				format_info.group,
--				pchar, len);
-+				gchar, len);
-     } else
- 	xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
- 				format_info.integer_digits,
-diff --git a/tests/docs/bug-222.xml b/tests/docs/bug-222.xml
-new file mode 100644
-index 00000000..69d62f2c
---- /dev/null
-+++ b/tests/docs/bug-222.xml
-@@ -0,0 +1 @@
-+<doc/>
-diff --git a/tests/general/bug-222.out b/tests/general/bug-222.out
-new file mode 100644
-index 00000000..e3139698
---- /dev/null
-+++ b/tests/general/bug-222.out
-@@ -0,0 +1,2 @@
-+<?xml version="1.0"?>
-+1⠢0
-diff --git a/tests/general/bug-222.xsl b/tests/general/bug-222.xsl
-new file mode 100644
-index 00000000..e32dc473
---- /dev/null
-+++ b/tests/general/bug-222.xsl
-@@ -0,0 +1,6 @@
-+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
-+  <xsl:decimal-format name="f" grouping-separator="⠢"/>
-+  <xsl:template match="/">
-+    <xsl:value-of select="format-number(10,'#⠢0','f')"/>
-+  </xsl:template>
-+</xsl:stylesheet>
--- 
-2.22.0
-
-
diff --git a/libxslt.spec b/libxslt.spec
index de48a4e..970522d 100644
--- a/libxslt.spec
+++ b/libxslt.spec
@@ -1,7 +1,7 @@
 Name:           libxslt
 Summary:        Library providing the Gnome XSLT engine
-Version:        1.1.33
-Release:        5%{?dist}
+Version:        1.1.34
+Release:        1%{?dist}
 
 License:        MIT
 URL:            http://xmlsoft.org/XSLT
@@ -20,12 +20,6 @@ Patch0:         multilib.patch
 Patch1:         libxslt-1.1.26-utf8-docs.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1467435
 Patch2:         multilib2.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=1709698
-Patch3:         CVE-2019-11068.patch
-# https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b
-Patch4:         CVE-2019-13118.patch
-# https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1
-Patch5:         CVE-2019-13117.patch
 
 %description
 This C library allows to transform XML files into other XML files
@@ -133,6 +127,9 @@ rm -vrf %{buildroot}%{_docdir}
 %endif
 
 %changelog
+* Mon Mar 09 2020 Gwyn Ciesla <gwync@protonmail.com> - 1.1.34-1
+- 1.1.34
+
 * Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.33-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 
diff --git a/sources b/sources
index 46055ae..3b1402d 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (libxslt-1.1.33.tar.gz) = ebbe438a38bf6355950167d3b580edc22baa46a77068c18c42445c1c9c716d42bed3b30c5cd5bec359ab32d03843224dae458e9e32dc61693e7cf4bab23536e0
+SHA512 (libxslt-1.1.34.tar.gz) = 1516a11ad608b04740674060d2c5d733b88889de5e413b9a4e8bf8d1a90d712149df6d2b1345b615f529d7c7d3fa6dae12e544da828b39c7d415e54c0ee0776b