diff --git a/libxslt-CVE-2016-4738.patch b/libxslt-CVE-2016-4738.patch new file mode 100644 index 0000000..ff99291 --- /dev/null +++ b/libxslt-CVE-2016-4738.patch @@ -0,0 +1,32 @@ +From eb1030de31165b68487f288308f9d1810fed6880 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Fri, 10 Jun 2016 14:23:58 +0200 +Subject: Fix heap overread in xsltFormatNumberConversion + +An empty decimal-separator could cause a heap overread. This can be +exploited to leak a couple of bytes after the buffer that holds the +pattern string. + +Found with afl-fuzz and ASan. +--- + libxslt/numbers.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libxslt/numbers.c b/libxslt/numbers.c +index d1549b4..e78c46b 100644 +--- a/libxslt/numbers.c ++++ b/libxslt/numbers.c +@@ -1090,7 +1090,8 @@ xsltFormatNumberConversion(xsltDecimalFormatPtr self, + } + + /* We have finished the integer part, now work on fraction */ +- if (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) { ++ if ( (*the_format != 0) && ++ (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) ) { + format_info.add_decimal = TRUE; + the_format += xsltUTF8Size(the_format); /* Skip over the decimal */ + } +-- +cgit v0.12 + + diff --git a/libxslt-python.spec b/libxslt-python.spec index c46f33f..7c73cb3 100644 --- a/libxslt-python.spec +++ b/libxslt-python.spec @@ -1,7 +1,7 @@ # # spec file for package libxslt-python # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed diff --git a/libxslt.changes b/libxslt.changes index 8becd52..c23eabe 100644 --- a/libxslt.changes +++ b/libxslt.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Mon Mar 13 12:43:04 UTC 2017 - pmonrealgonzalez@suse.com + +- Added patch libxslt-CVE-2016-4738.patch + * Fix heap overread in xsltFormatNumberConversion: An empty + decimal-separator could cause a heap overread. This can be + exploited to leak a couple of bytes after the buffer that holds + the pattern string. + * bsc#1005591 CVE-2016-4738 + ------------------------------------------------------------------- Sat Jun 11 11:42:29 UTC 2016 - tchvatal@suse.com diff --git a/libxslt.spec b/libxslt.spec index 204c4ae..e54ca7b 100644 --- a/libxslt.spec +++ b/libxslt.spec @@ -1,7 +1,7 @@ # # spec file for package libxslt # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -31,6 +31,7 @@ Source3: xslt-config.1 Patch0: %{name}-1.1.24-no-net-autobuild.patch Patch1: libxslt-config-fixes.patch Patch2: 0009-Make-generate-id-deterministic.patch +Patch3: libxslt-CVE-2016-4738.patch BuildRequires: libgcrypt-devel BuildRequires: libgpg-error-devel BuildRequires: libtool @@ -99,6 +100,7 @@ xtend the %patch0 %patch1 %patch2 -p1 +%patch3 -p1 %build autoreconf -fvi