From c6a6e55856afb68f494fc1e14964f12463fcebbc Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 28 Jul 2020 02:15:12 -0400 Subject: [PATCH] import libxslt-1.1.32-5.el8 --- SOURCES/libxslt-1.1.32-CVE-2019-11068.patch | 120 ++++++++++++++++++++ SOURCES/libxslt-1.1.32-CVE-2019-18197.patch | 30 +++++ SOURCES/multilib2.patch | 28 +++++ SPECS/libxslt.spec | 15 ++- 4 files changed, 192 insertions(+), 1 deletion(-) create mode 100644 SOURCES/libxslt-1.1.32-CVE-2019-11068.patch create mode 100644 SOURCES/libxslt-1.1.32-CVE-2019-18197.patch create mode 100644 SOURCES/multilib2.patch diff --git a/SOURCES/libxslt-1.1.32-CVE-2019-11068.patch b/SOURCES/libxslt-1.1.32-CVE-2019-11068.patch new file mode 100644 index 0000000..62007d6 --- /dev/null +++ b/SOURCES/libxslt-1.1.32-CVE-2019-11068.patch @@ -0,0 +1,120 @@ +From e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 24 Mar 2019 09:51:39 +0100 +Subject: [PATCH] Fix security framework bypass + +xsltCheckRead and xsltCheckWrite return -1 in case of error but callers +don't check for this condition and allow access. With a specially +crafted URL, xsltCheckRead could be tricked into returning an error +because of a supposedly invalid URL that would still be loaded +succesfully later on. + +Fixes #12. + +Thanks to Felix Wilhelm for the report. +--- + libxslt/documents.c | 18 ++++++++++-------- + libxslt/imports.c | 9 +++++---- + libxslt/transform.c | 9 +++++---- + libxslt/xslt.c | 9 +++++---- + 4 files changed, 25 insertions(+), 20 deletions(-) + +diff --git a/libxslt/documents.c b/libxslt/documents.c +index 3f3a7312..4aad11bb 100644 +--- a/libxslt/documents.c ++++ b/libxslt/documents.c +@@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) { + int res; + + res = xsltCheckRead(ctxt->sec, ctxt, URI); +- if (res == 0) { +- xsltTransformError(ctxt, NULL, NULL, +- "xsltLoadDocument: read rights for %s denied\n", +- URI); ++ if (res <= 0) { ++ if (res == 0) ++ xsltTransformError(ctxt, NULL, NULL, ++ "xsltLoadDocument: read rights for %s denied\n", ++ URI); + return(NULL); + } + } +@@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) { + int res; + + res = xsltCheckRead(sec, NULL, URI); +- if (res == 0) { +- xsltTransformError(NULL, NULL, NULL, +- "xsltLoadStyleDocument: read rights for %s denied\n", +- URI); ++ if (res <= 0) { ++ if (res == 0) ++ xsltTransformError(NULL, NULL, NULL, ++ "xsltLoadStyleDocument: read rights for %s denied\n", ++ URI); + return(NULL); + } + } +diff --git a/libxslt/imports.c b/libxslt/imports.c +index 874870cc..3783b247 100644 +--- a/libxslt/imports.c ++++ b/libxslt/imports.c +@@ -130,10 +130,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) { + int secres; + + secres = xsltCheckRead(sec, NULL, URI); +- if (secres == 0) { +- xsltTransformError(NULL, NULL, NULL, +- "xsl:import: read rights for %s denied\n", +- URI); ++ if (secres <= 0) { ++ if (secres == 0) ++ xsltTransformError(NULL, NULL, NULL, ++ "xsl:import: read rights for %s denied\n", ++ URI); + goto error; + } + } +diff --git a/libxslt/transform.c b/libxslt/transform.c +index 13793914..0636dbd0 100644 +--- a/libxslt/transform.c ++++ b/libxslt/transform.c +@@ -3493,10 +3493,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node, + */ + if (ctxt->sec != NULL) { + ret = xsltCheckWrite(ctxt->sec, ctxt, filename); +- if (ret == 0) { +- xsltTransformError(ctxt, NULL, inst, +- "xsltDocumentElem: write rights for %s denied\n", +- filename); ++ if (ret <= 0) { ++ if (ret == 0) ++ xsltTransformError(ctxt, NULL, inst, ++ "xsltDocumentElem: write rights for %s denied\n", ++ filename); + xmlFree(URL); + xmlFree(filename); + return; +diff --git a/libxslt/xslt.c b/libxslt/xslt.c +index 780a5ad7..a234eb79 100644 +--- a/libxslt/xslt.c ++++ b/libxslt/xslt.c +@@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) { + int res; + + res = xsltCheckRead(sec, NULL, filename); +- if (res == 0) { +- xsltTransformError(NULL, NULL, NULL, +- "xsltParseStylesheetFile: read rights for %s denied\n", +- filename); ++ if (res <= 0) { ++ if (res == 0) ++ xsltTransformError(NULL, NULL, NULL, ++ "xsltParseStylesheetFile: read rights for %s denied\n", ++ filename); + return(NULL); + } + } +-- +2.24.1 + diff --git a/SOURCES/libxslt-1.1.32-CVE-2019-18197.patch b/SOURCES/libxslt-1.1.32-CVE-2019-18197.patch new file mode 100644 index 0000000..a8c7cf5 --- /dev/null +++ b/SOURCES/libxslt-1.1.32-CVE-2019-18197.patch @@ -0,0 +1,30 @@ +From 2232473733b7313d67de8836ea3b29eec6e8e285 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat, 17 Aug 2019 16:51:53 +0200 +Subject: [PATCH] Fix dangling pointer in xsltCopyText + +xsltCopyText didn't reset ctxt->lasttext in some cases which could +lead to various memory errors in relation with CDATA sections in input +documents. + +Found by OSS-Fuzz. +--- + libxslt/transform.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/libxslt/transform.c b/libxslt/transform.c +index 95ebd073..d7ab0b66 100644 +--- a/libxslt/transform.c ++++ b/libxslt/transform.c +@@ -1094,6 +1094,8 @@ xsltCopyText(xsltTransformContextPtr ctxt, xmlNodePtr target, + if ((copy->content = xmlStrdup(cur->content)) == NULL) + return NULL; + } ++ ++ ctxt->lasttext = NULL; + } else { + /* + * normal processing. keep counters to extend the text node +-- +2.22.0 + diff --git a/SOURCES/multilib2.patch b/SOURCES/multilib2.patch new file mode 100644 index 0000000..22ffe7e --- /dev/null +++ b/SOURCES/multilib2.patch @@ -0,0 +1,28 @@ +diff -urN libxslt-1.1.32/libxslt/xsltconfig.h.in libxslt-1.1.32.completemultilib/libxslt/xsltconfig.h.in +--- libxslt-1.1.32/libxslt/xsltconfig.h.in 2017-10-26 07:55:47.000000000 +0000 ++++ libxslt-1.1.32.completemultilib/libxslt/xsltconfig.h.in 2019-05-06 11:35:57.948191169 +0000 +@@ -120,7 +120,11 @@ + #ifndef WITH_MODULES + #define WITH_MODULES + #endif +-#define LIBXSLT_DEFAULT_PLUGINS_PATH() "@LIBXSLT_DEFAULT_PLUGINS_PATH@" ++#ifdef __LP64__ ++#define LIBXSLT_DEFAULT_PLUGINS_PATH() "/usr/lib64/libxslt-plugins" ++#else ++#define LIBXSLT_DEFAULT_PLUGINS_PATH() "/usr/lib/libxslt-plugins" ++#endif + #endif + + /** +diff -urN libxslt-1.1.32/xslt-config.in libxslt-1.1.32.completemultilib/xslt-config.in +--- libxslt-1.1.32/xslt-config.in 2015-05-10 14:11:30.000000000 +0000 ++++ libxslt-1.1.32.completemultilib/xslt-config.in 2019-05-06 11:34:59.670592304 +0000 +@@ -65,7 +65,7 @@ + ;; + + --plugins) +- echo @LIBXSLT_DEFAULT_PLUGINS_PATH@ ++ echo ${libdir}/libxslt-plugins + exit 0 + ;; + diff --git a/SPECS/libxslt.spec b/SPECS/libxslt.spec index 03e76a1..7c515f1 100644 --- a/SPECS/libxslt.spec +++ b/SPECS/libxslt.spec @@ -8,7 +8,7 @@ Name: libxslt Summary: Library providing the Gnome XSLT engine Version: 1.1.32 -Release: 3%{?dist} +Release: 5%{?dist} License: MIT URL: http://xmlsoft.org/XSLT @@ -25,6 +25,12 @@ BuildRequires: pkgconfig(libxml-2.0) >= 2.6.27 # Fedora specific patches Patch0: multilib.patch Patch1: libxslt-1.1.26-utf8-docs.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1765632 +Patch2: multilib2.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1775517 +Patch3: libxslt-1.1.32-CVE-2019-18197.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1715732 +Patch4: libxslt-1.1.32-CVE-2019-11068.patch %description This C library allows to transform XML files into other XML files @@ -129,6 +135,13 @@ rm -vrf %{buildroot}%{_docdir} %endif # with python2 %changelog +* Thu Jan 09 2020 David King - 1.1.32-5 +- Fix CVE-2019-18197 (#1775517) +- Fix CVE-2019-11068 (#1715732) + +* Thu Jan 09 2020 David King - 1.1.32-4 +- Fix multilib issues with devel subpackage (#1765632) + * Mon Jun 25 2018 Charalampos Stratakis - 1.1.32-3 - Conditionalize the python2 subpackage