import libxslt-1.1.32-5.el8

2020-07-28 02:15:12 -04:00 · 2020-07-28 02:15:12 -04:00 · c6a6e55856
commit c6a6e55856
parent 291c22e4ac
4 changed files with 192 additions and 1 deletions
--- a/SOURCES/libxslt-1.1.32-CVE-2019-11068.patch
+++ b/SOURCES/libxslt-1.1.32-CVE-2019-11068.patch
@ -0,0 +1,120 @@
 From e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 Mon Sep 17 00:00:00 2001
 From: Nick Wellnhofer <wellnhofer@aevum.de>
 Date: Sun, 24 Mar 2019 09:51:39 +0100
 Subject: [PATCH] Fix security framework bypass
 xsltCheckRead and xsltCheckWrite return -1 in case of error but callers
 don't check for this condition and allow access. With a specially
 crafted URL, xsltCheckRead could be tricked into returning an error
 because of a supposedly invalid URL that would still be loaded
 succesfully later on.
 Fixes #12.
 Thanks to Felix Wilhelm for the report.
 ---
 libxslt/documents.c | 18 ++++++++++--------
 libxslt/imports.c   |  9 +++++----
 libxslt/transform.c |  9 +++++----
 libxslt/xslt.c      |  9 +++++----
 4 files changed, 25 insertions(+), 20 deletions(-)
 diff --git a/libxslt/documents.c b/libxslt/documents.c
 index 3f3a7312..4aad11bb 100644
 --- a/libxslt/documents.c
 +++ b/libxslt/documents.c
@@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) {
 	int res;
 	res = xsltCheckRead(ctxt->sec, ctxt, URI);
 -	if (res == 0) {
 -	    xsltTransformError(ctxt, NULL, NULL,
 -		 "xsltLoadDocument: read rights for %s denied\n",
 -			     URI);
 +	if (res <= 0) {
 +            if (res == 0)
 +                xsltTransformError(ctxt, NULL, NULL,
 +                     "xsltLoadDocument: read rights for %s denied\n",
 +                                 URI);
 	    return(NULL);
 	}
     }
@@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) {
 	int res;
 	res = xsltCheckRead(sec, NULL, URI);
 -	if (res == 0) {
 -	    xsltTransformError(NULL, NULL, NULL,
 -		 "xsltLoadStyleDocument: read rights for %s denied\n",
 -			     URI);
 +	if (res <= 0) {
 +            if (res == 0)
 +                xsltTransformError(NULL, NULL, NULL,
 +                     "xsltLoadStyleDocument: read rights for %s denied\n",
 +                                 URI);
 	    return(NULL);
 	}
     }
 diff --git a/libxslt/imports.c b/libxslt/imports.c
 index 874870cc..3783b247 100644
 --- a/libxslt/imports.c
 +++ b/libxslt/imports.c
@@ -130,10 +130,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) {
 	int secres;
 	secres = xsltCheckRead(sec, NULL, URI);
 -	if (secres == 0) {
 -	    xsltTransformError(NULL, NULL, NULL,
 -		 "xsl:import: read rights for %s denied\n",
 -			     URI);
 +	if (secres <= 0) {
 +            if (secres == 0)
 +                xsltTransformError(NULL, NULL, NULL,
 +                     "xsl:import: read rights for %s denied\n",
 +                                 URI);
 	    goto error;
 	}
     }
 diff --git a/libxslt/transform.c b/libxslt/transform.c
 index 13793914..0636dbd0 100644
 --- a/libxslt/transform.c
 +++ b/libxslt/transform.c
@@ -3493,10 +3493,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node,
      */
     if (ctxt->sec != NULL) {
 	ret = xsltCheckWrite(ctxt->sec, ctxt, filename);
 -	if (ret == 0) {
 -	    xsltTransformError(ctxt, NULL, inst,
 -		 "xsltDocumentElem: write rights for %s denied\n",
 -			     filename);
 +	if (ret <= 0) {
 +            if (ret == 0)
 +                xsltTransformError(ctxt, NULL, inst,
 +                     "xsltDocumentElem: write rights for %s denied\n",
 +                                 filename);
 	    xmlFree(URL);
 	    xmlFree(filename);
 	    return;
 diff --git a/libxslt/xslt.c b/libxslt/xslt.c
 index 780a5ad7..a234eb79 100644
 --- a/libxslt/xslt.c
 +++ b/libxslt/xslt.c
@@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) {
 	int res;
 	res = xsltCheckRead(sec, NULL, filename);
 -	if (res == 0) {
 -	    xsltTransformError(NULL, NULL, NULL,
 -		 "xsltParseStylesheetFile: read rights for %s denied\n",
 -			     filename);
 +	if (res <= 0) {
 +            if (res == 0)
 +                xsltTransformError(NULL, NULL, NULL,
 +                     "xsltParseStylesheetFile: read rights for %s denied\n",
 +                                 filename);
 	    return(NULL);
 	}
     }
 -- 
 2.24.1
--- a/SOURCES/libxslt-1.1.32-CVE-2019-18197.patch
+++ b/SOURCES/libxslt-1.1.32-CVE-2019-18197.patch
@ -0,0 +1,30 @@
 From 2232473733b7313d67de8836ea3b29eec6e8e285 Mon Sep 17 00:00:00 2001
 From: Nick Wellnhofer <wellnhofer@aevum.de>
 Date: Sat, 17 Aug 2019 16:51:53 +0200
 Subject: [PATCH] Fix dangling pointer in xsltCopyText
 xsltCopyText didn't reset ctxt->lasttext in some cases which could
 lead to various memory errors in relation with CDATA sections in input
 documents.
 Found by OSS-Fuzz.
 ---
 libxslt/transform.c | 2 ++
 1 file changed, 2 insertions(+)
 diff --git a/libxslt/transform.c b/libxslt/transform.c
 index 95ebd073..d7ab0b66 100644
 --- a/libxslt/transform.c
 +++ b/libxslt/transform.c
@@ -1094,6 +1094,8 @@ xsltCopyText(xsltTransformContextPtr ctxt, xmlNodePtr target,
 	    if ((copy->content = xmlStrdup(cur->content)) == NULL)
 		return NULL;
 	}
 +
 +	ctxt->lasttext = NULL;
     } else {
         /*
 	 * normal processing. keep counters to extend the text node
 -- 
 2.22.0
--- a/SOURCES/multilib2.patch
+++ b/SOURCES/multilib2.patch
@ -0,0 +1,28 @@
 diff -urN libxslt-1.1.32/libxslt/xsltconfig.h.in libxslt-1.1.32.completemultilib/libxslt/xsltconfig.h.in
 --- libxslt-1.1.32/libxslt/xsltconfig.h.in	2017-10-26 07:55:47.000000000 +0000
 +++ libxslt-1.1.32.completemultilib/libxslt/xsltconfig.h.in	2019-05-06 11:35:57.948191169 +0000
@@ -120,7 +120,11 @@
 #ifndef WITH_MODULES
 #define WITH_MODULES
 #endif
 -#define LIBXSLT_DEFAULT_PLUGINS_PATH() "@LIBXSLT_DEFAULT_PLUGINS_PATH@"
 +#ifdef __LP64__
 +#define LIBXSLT_DEFAULT_PLUGINS_PATH() "/usr/lib64/libxslt-plugins"
 +#else
 +#define LIBXSLT_DEFAULT_PLUGINS_PATH() "/usr/lib/libxslt-plugins"
 +#endif
 #endif
 /**
 diff -urN libxslt-1.1.32/xslt-config.in libxslt-1.1.32.completemultilib/xslt-config.in
 --- libxslt-1.1.32/xslt-config.in	2015-05-10 14:11:30.000000000 +0000
 +++ libxslt-1.1.32.completemultilib/xslt-config.in	2019-05-06 11:34:59.670592304 +0000
@@ -65,7 +65,7 @@
 	;;
     --plugins)
 -	echo @LIBXSLT_DEFAULT_PLUGINS_PATH@
 +	echo ${libdir}/libxslt-plugins
 	exit 0
 	;;
--- a/SPECS/libxslt.spec
+++ b/SPECS/libxslt.spec
@ -8,7 +8,7 @@
 Name:           libxslt
 Summary:        Library providing the Gnome XSLT engine
 Version:        1.1.32
-Release:        3%{?dist}
+Release:        5%{?dist}
 License:        MIT
 URL:            http://xmlsoft.org/XSLT
@ -25,6 +25,12 @@ BuildRequires:  pkgconfig(libxml-2.0) >= 2.6.27
 # Fedora specific patches
 Patch0:         multilib.patch
 Patch1:         libxslt-1.1.26-utf8-docs.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1765632
 Patch2:         multilib2.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1775517
 Patch3:         libxslt-1.1.32-CVE-2019-18197.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1715732
 Patch4:         libxslt-1.1.32-CVE-2019-11068.patch
 %description
 This C library allows to transform XML files into other XML files
@ -129,6 +135,13 @@ rm -vrf %{buildroot}%{_docdir}
 %endif # with python2
 %changelog
 * Thu Jan 09 2020 David King <dking@redhat.com> - 1.1.32-5
 - Fix CVE-2019-18197 (#1775517)
 - Fix CVE-2019-11068 (#1715732)
 * Thu Jan 09 2020 David King <dking@redhat.com> - 1.1.32-4
 - Fix multilib issues with devel subpackage (#1765632)
 * Mon Jun 25 2018 Charalampos Stratakis <cstratak@redhat.com> - 1.1.32-3
 - Conditionalize the python2 subpackage