import libxslt-1.1.32-5.el8
This commit is contained in:
CentOS Sources
parent
03bbf54760
commit
a8f6632837
120
SOURCES/libxslt-1.1.32-CVE-2019-11068.patch
Normal file
120
SOURCES/libxslt-1.1.32-CVE-2019-11068.patch
Normal file
@ -0,0 +1,120 @@
|
|||||||
|
From e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||||
|
Date: Sun, 24 Mar 2019 09:51:39 +0100
|
||||||
|
Subject: [PATCH] Fix security framework bypass
|
||||||
|
|
||||||
|
xsltCheckRead and xsltCheckWrite return -1 in case of error but callers
|
||||||
|
don't check for this condition and allow access. With a specially
|
||||||
|
crafted URL, xsltCheckRead could be tricked into returning an error
|
||||||
|
because of a supposedly invalid URL that would still be loaded
|
||||||
|
succesfully later on.
|
||||||
|
|
||||||
|
Fixes #12.
|
||||||
|
|
||||||
|
Thanks to Felix Wilhelm for the report.
|
||||||
|
---
|
||||||
|
libxslt/documents.c | 18 ++++++++++--------
|
||||||
|
libxslt/imports.c | 9 +++++----
|
||||||
|
libxslt/transform.c | 9 +++++----
|
||||||
|
libxslt/xslt.c | 9 +++++----
|
||||||
|
4 files changed, 25 insertions(+), 20 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/libxslt/documents.c b/libxslt/documents.c
|
||||||
|
index 3f3a7312..4aad11bb 100644
|
||||||
|
--- a/libxslt/documents.c
|
||||||
|
+++ b/libxslt/documents.c
|
||||||
|
@@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) {
|
||||||
|
int res;
|
||||||
|
|
||||||
|
res = xsltCheckRead(ctxt->sec, ctxt, URI);
|
||||||
|
- if (res == 0) {
|
||||||
|
- xsltTransformError(ctxt, NULL, NULL,
|
||||||
|
- "xsltLoadDocument: read rights for %s denied\n",
|
||||||
|
- URI);
|
||||||
|
+ if (res <= 0) {
|
||||||
|
+ if (res == 0)
|
||||||
|
+ xsltTransformError(ctxt, NULL, NULL,
|
||||||
|
+ "xsltLoadDocument: read rights for %s denied\n",
|
||||||
|
+ URI);
|
||||||
|
return(NULL);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) {
|
||||||
|
int res;
|
||||||
|
|
||||||
|
res = xsltCheckRead(sec, NULL, URI);
|
||||||
|
- if (res == 0) {
|
||||||
|
- xsltTransformError(NULL, NULL, NULL,
|
||||||
|
- "xsltLoadStyleDocument: read rights for %s denied\n",
|
||||||
|
- URI);
|
||||||
|
+ if (res <= 0) {
|
||||||
|
+ if (res == 0)
|
||||||
|
+ xsltTransformError(NULL, NULL, NULL,
|
||||||
|
+ "xsltLoadStyleDocument: read rights for %s denied\n",
|
||||||
|
+ URI);
|
||||||
|
return(NULL);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
diff --git a/libxslt/imports.c b/libxslt/imports.c
|
||||||
|
index 874870cc..3783b247 100644
|
||||||
|
--- a/libxslt/imports.c
|
||||||
|
+++ b/libxslt/imports.c
|
||||||
|
@@ -130,10 +130,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) {
|
||||||
|
int secres;
|
||||||
|
|
||||||
|
secres = xsltCheckRead(sec, NULL, URI);
|
||||||
|
- if (secres == 0) {
|
||||||
|
- xsltTransformError(NULL, NULL, NULL,
|
||||||
|
- "xsl:import: read rights for %s denied\n",
|
||||||
|
- URI);
|
||||||
|
+ if (secres <= 0) {
|
||||||
|
+ if (secres == 0)
|
||||||
|
+ xsltTransformError(NULL, NULL, NULL,
|
||||||
|
+ "xsl:import: read rights for %s denied\n",
|
||||||
|
+ URI);
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
diff --git a/libxslt/transform.c b/libxslt/transform.c
|
||||||
|
index 13793914..0636dbd0 100644
|
||||||
|
--- a/libxslt/transform.c
|
||||||
|
+++ b/libxslt/transform.c
|
||||||
|
@@ -3493,10 +3493,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node,
|
||||||
|
*/
|
||||||
|
if (ctxt->sec != NULL) {
|
||||||
|
ret = xsltCheckWrite(ctxt->sec, ctxt, filename);
|
||||||
|
- if (ret == 0) {
|
||||||
|
- xsltTransformError(ctxt, NULL, inst,
|
||||||
|
- "xsltDocumentElem: write rights for %s denied\n",
|
||||||
|
- filename);
|
||||||
|
+ if (ret <= 0) {
|
||||||
|
+ if (ret == 0)
|
||||||
|
+ xsltTransformError(ctxt, NULL, inst,
|
||||||
|
+ "xsltDocumentElem: write rights for %s denied\n",
|
||||||
|
+ filename);
|
||||||
|
xmlFree(URL);
|
||||||
|
xmlFree(filename);
|
||||||
|
return;
|
||||||
|
diff --git a/libxslt/xslt.c b/libxslt/xslt.c
|
||||||
|
index 780a5ad7..a234eb79 100644
|
||||||
|
--- a/libxslt/xslt.c
|
||||||
|
+++ b/libxslt/xslt.c
|
||||||
|
@@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) {
|
||||||
|
int res;
|
||||||
|
|
||||||
|
res = xsltCheckRead(sec, NULL, filename);
|
||||||
|
- if (res == 0) {
|
||||||
|
- xsltTransformError(NULL, NULL, NULL,
|
||||||
|
- "xsltParseStylesheetFile: read rights for %s denied\n",
|
||||||
|
- filename);
|
||||||
|
+ if (res <= 0) {
|
||||||
|
+ if (res == 0)
|
||||||
|
+ xsltTransformError(NULL, NULL, NULL,
|
||||||
|
+ "xsltParseStylesheetFile: read rights for %s denied\n",
|
||||||
|
+ filename);
|
||||||
|
return(NULL);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.24.1
|
||||||
|
|
||||||
30
SOURCES/libxslt-1.1.32-CVE-2019-18197.patch
Normal file
30
SOURCES/libxslt-1.1.32-CVE-2019-18197.patch
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
From 2232473733b7313d67de8836ea3b29eec6e8e285 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||||
|
Date: Sat, 17 Aug 2019 16:51:53 +0200
|
||||||
|
Subject: [PATCH] Fix dangling pointer in xsltCopyText
|
||||||
|
|
||||||
|
xsltCopyText didn't reset ctxt->lasttext in some cases which could
|
||||||
|
lead to various memory errors in relation with CDATA sections in input
|
||||||
|
documents.
|
||||||
|
|
||||||
|
Found by OSS-Fuzz.
|
||||||
|
---
|
||||||
|
libxslt/transform.c | 2 ++
|
||||||
|
1 file changed, 2 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/libxslt/transform.c b/libxslt/transform.c
|
||||||
|
index 95ebd073..d7ab0b66 100644
|
||||||
|
--- a/libxslt/transform.c
|
||||||
|
+++ b/libxslt/transform.c
|
||||||
|
@@ -1094,6 +1094,8 @@ xsltCopyText(xsltTransformContextPtr ctxt, xmlNodePtr target,
|
||||||
|
if ((copy->content = xmlStrdup(cur->content)) == NULL)
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ ctxt->lasttext = NULL;
|
||||||
|
} else {
|
||||||
|
/*
|
||||||
|
* normal processing. keep counters to extend the text node
|
||||||
|
--
|
||||||
|
2.22.0
|
||||||
|
|
||||||
@ -8,7 +8,7 @@
|
|||||||
Name: libxslt
|
Name: libxslt
|
||||||
Summary: Library providing the Gnome XSLT engine
|
Summary: Library providing the Gnome XSLT engine
|
||||||
Version: 1.1.32
|
Version: 1.1.32
|
||||||
Release: 4%{?dist}
|
Release: 5%{?dist}
|
||||||
|
|
||||||
License: MIT
|
License: MIT
|
||||||
URL: http://xmlsoft.org/XSLT
|
URL: http://xmlsoft.org/XSLT
|
||||||
@ -27,6 +27,10 @@ Patch0: multilib.patch
|
|||||||
Patch1: libxslt-1.1.26-utf8-docs.patch
|
Patch1: libxslt-1.1.26-utf8-docs.patch
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1765632
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1765632
|
||||||
Patch2: multilib2.patch
|
Patch2: multilib2.patch
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1775517
|
||||||
|
Patch3: libxslt-1.1.32-CVE-2019-18197.patch
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1715732
|
||||||
|
Patch4: libxslt-1.1.32-CVE-2019-11068.patch
|
||||||
|
|
||||||
%description
|
%description
|
||||||
This C library allows to transform XML files into other XML files
|
This C library allows to transform XML files into other XML files
|
||||||
@ -131,6 +135,10 @@ rm -vrf %{buildroot}%{_docdir}
|
|||||||
%endif # with python2
|
%endif # with python2
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Jan 09 2020 David King <dking@redhat.com> - 1.1.32-5
|
||||||
|
- Fix CVE-2019-18197 (#1775517)
|
||||||
|
- Fix CVE-2019-11068 (#1715732)
|
||||||
|
|
||||||
* Thu Jan 09 2020 David King <dking@redhat.com> - 1.1.32-4
|
* Thu Jan 09 2020 David King <dking@redhat.com> - 1.1.32-4
|
||||||
- Fix multilib issues with devel subpackage (#1765632)
|
- Fix multilib issues with devel subpackage (#1765632)
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user