From 1538c8c23523e6b19306e33ca13c7fa6423688ddd2e7c5f189330ccc3e323e53 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADt=C4=9Bzslav=20=C4=8C=C3=AD=C5=BEek?= Date: Thu, 19 Oct 2017 12:16:49 +0000 Subject: [PATCH] Accepting request 535190 from home:pmonrealgonzalez:branches:devel:libraries:c_c++ - Update to version 1.1.30 [bsc#1063934] * Documentation: - Misc doc fixes * Portability: - Look for libxml2 via pkg-config first * Bug Fixes: - Also fix memory hazards in exsltFuncResultElem - Fix NULL deref in xsltDefaultSortFunction - Fix memory hazards in exsltFuncFunctionFunction - Fix memory leaks in EXSLT error paths - Fix memory leak in str:concat with empty node-set - Fix memory leaks in error paths - Switch to xmlUTF8Strsize in numbers.c - Fix NULL pointer deref in xsltFormatNumberFunction - Fix UTF-8 check in str:padding - Fix xmlStrPrintf argument - Check for overflow in _exsltDateParseGYear - Fix double to int conversion - Check for overflow in exsltDateParseDuration - Change version of xsltMaxVars back to 1.0.24 - Disable xsltCopyTextString optimization for extensions - Create DOCTYPE for HTML version 5 - Make xsl:decimal-format work with namespaces - Remove norm:localTime extension function - Check for integer overflow in xsltAddTextString - Detect infinite recursion when evaluating function arguments - Fix memory leak in xsltElementAvailableFunction - Fix for pattern predicates calling functions - Fix cmd.exe invocations in Makefile.mingw - Don't try to install index.sgml OBS-URL: https://build.opensuse.org/request/show/535190 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libxslt?expand=0&rev=65 --- libxslt-1.1.28-CVE-2017-5029.patch | 74 ------------------------- libxslt-1.1.29.tar.gz | 3 - libxslt-1.1.29.tar.gz.asc | 7 --- libxslt-1.1.30.tar.gz | 3 + libxslt-1.1.30.tar.gz.asc | 10 ++++ libxslt-CVE-2016-4738.patch | 32 ----------- libxslt-python.changes | 89 ++++++++++++++++++++++++++++++ libxslt-python.spec | 6 +- libxslt.changes | 86 +++++++++++++++++++++++++++++ libxslt.spec | 9 +-- 10 files changed, 194 insertions(+), 125 deletions(-) delete mode 100644 libxslt-1.1.28-CVE-2017-5029.patch delete mode 100644 libxslt-1.1.29.tar.gz delete mode 100644 libxslt-1.1.29.tar.gz.asc create mode 100644 libxslt-1.1.30.tar.gz create mode 100644 libxslt-1.1.30.tar.gz.asc delete mode 100644 libxslt-CVE-2016-4738.patch diff --git a/libxslt-1.1.28-CVE-2017-5029.patch b/libxslt-1.1.28-CVE-2017-5029.patch deleted file mode 100644 index 9649cd8..0000000 --- a/libxslt-1.1.28-CVE-2017-5029.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 08ab2774b870de1c7b5a48693df75e8154addae5 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Thu, 12 Jan 2017 15:39:52 +0100 -Subject: Check for integer overflow in xsltAddTextString - -Limit buffer size in xsltAddTextString to INT_MAX. The issue can be -exploited to trigger an out of bounds write on 64-bit systems. - -Originally reported to Chromium: - -https://crbug.com/676623 ---- - libxslt/transform.c | 25 ++++++++++++++++++++++--- - libxslt/xsltInternals.h | 4 ++-- - 2 files changed, 24 insertions(+), 5 deletions(-) - -diff --git a/libxslt/transform.c b/libxslt/transform.c -index 519133f..02bff34 100644 ---- a/libxslt/transform.c -+++ b/libxslt/transform.c -@@ -813,13 +813,32 @@ xsltAddTextString(xsltTransformContextPtr ctxt, xmlNodePtr target, - return(target); - - if (ctxt->lasttext == target->content) { -+ int minSize; - -- if (ctxt->lasttuse + len >= ctxt->lasttsize) { -+ /* Check for integer overflow accounting for NUL terminator. */ -+ if (len >= INT_MAX - ctxt->lasttuse) { -+ xsltTransformError(ctxt, NULL, target, -+ "xsltCopyText: text allocation failed\n"); -+ return(NULL); -+ } -+ minSize = ctxt->lasttuse + len + 1; -+ -+ if (ctxt->lasttsize < minSize) { - xmlChar *newbuf; - int size; -+ int extra; -+ -+ /* Double buffer size but increase by at least 100 bytes. */ -+ extra = minSize < 100 ? 100 : minSize; -+ -+ /* Check for integer overflow. */ -+ if (extra > INT_MAX - ctxt->lasttsize) { -+ size = INT_MAX; -+ } -+ else { -+ size = ctxt->lasttsize + extra; -+ } - -- size = ctxt->lasttsize + len + 100; -- size *= 2; - newbuf = (xmlChar *) xmlRealloc(target->content,size); - if (newbuf == NULL) { - xsltTransformError(ctxt, NULL, target, -diff --git a/libxslt/xsltInternals.h b/libxslt/xsltInternals.h -index 060b178..5ad1771 100644 ---- a/libxslt/xsltInternals.h -+++ b/libxslt/xsltInternals.h -@@ -1754,8 +1754,8 @@ struct _xsltTransformContext { - * Speed optimization when coalescing text nodes - */ - const xmlChar *lasttext; /* last text node content */ -- unsigned int lasttsize; /* last text node size */ -- unsigned int lasttuse; /* last text node use */ -+ int lasttsize; /* last text node size */ -+ int lasttuse; /* last text node use */ - /* - * Per Context Debugging - */ --- -cgit v0.12 - diff --git a/libxslt-1.1.29.tar.gz b/libxslt-1.1.29.tar.gz deleted file mode 100644 index a76498a..0000000 --- a/libxslt-1.1.29.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:b5976e3857837e7617b29f2249ebb5eeac34e249208d31f1fbf7a6ba7a4090ce -size 3428524 diff --git a/libxslt-1.1.29.tar.gz.asc b/libxslt-1.1.29.tar.gz.asc deleted file mode 100644 index d2519ed..0000000 --- a/libxslt-1.1.29.tar.gz.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iEYEABECAAYFAldDtVwACgkQRga4pd6VvB8F5ACbBAolNImNScVOescshMRuEwFB -KOkAnA5I+He/EmWeyL5/+BXPlWCd/NDn -=/Fe0 ------END PGP SIGNATURE----- diff --git a/libxslt-1.1.30.tar.gz b/libxslt-1.1.30.tar.gz new file mode 100644 index 0000000..c54e2ea --- /dev/null +++ b/libxslt-1.1.30.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ba65236116de8326d83378b2bd929879fa185195bc530b9d1aba72107910b6b3 +size 3444029 diff --git a/libxslt-1.1.30.tar.gz.asc b/libxslt-1.1.30.tar.gz.asc new file mode 100644 index 0000000..c695b62 --- /dev/null +++ b/libxslt-1.1.30.tar.gz.asc @@ -0,0 +1,10 @@ +-----BEGIN PGP SIGNATURE----- + +iQEcBAABAgAGBQJZrVbGAAoJEBVYiyZZa+pdVrMH/Ru0J8zvwx8Geu6PX8ykvdEU +o5U/izwg8C8a1mtI9M8PcVUsERQinBcngO14Vk0V0dXHLp7/IEpRuXksCYkcTJL9 +HawU2uDXTE/VwUl9aM2OXJOCk9W/JUkElbqEG11LCfU6uGlV+mFpLVO+eMDPxlRZ +v2LMs/yBFSiwNw757771ADShdRe3QxqhRscikK/yz/BRESdqls3/3y6GSEV2rx2n +VKVvsuHFisviwEn+1pvqcAGNCm0pIkPX6/nr+ayK3rBX7tmS493Stp6e/qUYKo6e +5cmdTkPhpzICQH2yqeUlfMp1M1nN50oShpvQqyjmpI+SV1udw08suIxVTDUCTRc= +=LjYD +-----END PGP SIGNATURE----- diff --git a/libxslt-CVE-2016-4738.patch b/libxslt-CVE-2016-4738.patch deleted file mode 100644 index ff99291..0000000 --- a/libxslt-CVE-2016-4738.patch +++ /dev/null @@ -1,32 +0,0 @@ -From eb1030de31165b68487f288308f9d1810fed6880 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Fri, 10 Jun 2016 14:23:58 +0200 -Subject: Fix heap overread in xsltFormatNumberConversion - -An empty decimal-separator could cause a heap overread. This can be -exploited to leak a couple of bytes after the buffer that holds the -pattern string. - -Found with afl-fuzz and ASan. ---- - libxslt/numbers.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/libxslt/numbers.c b/libxslt/numbers.c -index d1549b4..e78c46b 100644 ---- a/libxslt/numbers.c -+++ b/libxslt/numbers.c -@@ -1090,7 +1090,8 @@ xsltFormatNumberConversion(xsltDecimalFormatPtr self, - } - - /* We have finished the integer part, now work on fraction */ -- if (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) { -+ if ( (*the_format != 0) && -+ (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) ) { - format_info.add_decimal = TRUE; - the_format += xsltUTF8Size(the_format); /* Skip over the decimal */ - } --- -cgit v0.12 - - diff --git a/libxslt-python.changes b/libxslt-python.changes index 8a7e68c..1dd57fb 100644 --- a/libxslt-python.changes +++ b/libxslt-python.changes @@ -1,3 +1,92 @@ +------------------------------------------------------------------- +Thu Oct 19 11:18:49 UTC 2017 - pmonrealgonzalez@suse.com + +- Update to version 1.1.30 [bsc#1063934] + * Documentation: + - Misc doc fixes + * Portability: + - Look for libxml2 via pkg-config first + * Bug Fixes: + - Also fix memory hazards in exsltFuncResultElem + - Fix NULL deref in xsltDefaultSortFunction + - Fix memory hazards in exsltFuncFunctionFunction + - Fix memory leaks in EXSLT error paths + - Fix memory leak in str:concat with empty node-set + - Fix memory leaks in error paths + - Switch to xmlUTF8Strsize in numbers.c + - Fix NULL pointer deref in xsltFormatNumberFunction + - Fix UTF-8 check in str:padding + - Fix xmlStrPrintf argument + - Check for overflow in _exsltDateParseGYear + - Fix double to int conversion + - Check for overflow in exsltDateParseDuration + - Change version of xsltMaxVars back to 1.0.24 + - Disable xsltCopyTextString optimization for extensions + - Create DOCTYPE for HTML version 5 + - Make xsl:decimal-format work with namespaces + - Remove norm:localTime extension function + - Check for integer overflow in xsltAddTextString + - Detect infinite recursion when evaluating function arguments + - Fix memory leak in xsltElementAvailableFunction + - Fix for pattern predicates calling functions + - Fix cmd.exe invocations in Makefile.mingw + - Don't try to install index.sgml + - Fix symbols.xml + - Fix heap overread in xsltFormatNumberConversion + - Fix for non-element nodes + - Fix unreachable code in xsltAddChild + - Change version number in xsl:version warning + - Avoid infinite recursion after failed param evaluation + - Stop if potential recursion is detected + - Consider built-in templates in apply-imports + - Fix precedence with multiple attribute sets + - Rework attribute set resolution + * Improvements: + - Silence tests a little + - Set LIBXML_SRC to absolute path + - Add missing #include + - Adjust expected error messages in tests + - Make xsltDebug more quiet + - New-line terminate error message that missed this convention + - Use xmlBuffers in EXSLT string functions + - Switch to xmlUTF8Strsize in EXSLT string functions + - Check for return value of xmlUTF8Strlen + - Avoid double/long round trip in FORMAT_ITEM + - Separate date and duration structs + - Check for overflow in _exsltDateDifference + - Clamp seconds field of durations + - Change _exsltDateAddDurCalc parameter types + - Fix date:difference with time zones + - Rework division/remainder arithmetic in date.c + - Remove exsltDateCastDateToNumber + - Change internal representation of years + - Optimize IS_LEAP + - Link libraries with libm + - Rename xsltCopyTreeInternal to xsltCopyTree + - Update linker version script + - Add local wildcard to version script + - Make some symbols static + - Remove redundant NULL check in xsltNumberComp + - Fix forwards compatibility for imported stylesheets + - Reduce warnings in forwards-compatible mode + - Precompute XSLT elements after preprocessing + - Fix whitespace in xsltParseStylesheetTop + - Consolidate recursion checks + - Treat XSLT_STATE_STOPPED same as errors + - Make sure that XSLT_STATE_STOPPED isn't overwritten + - Add comment regarding built-in templates and params + - Rewrite memory management of local RVTs + - Validate QNames of attribute sets + - Add xsl:attribute-set regression tests + - Ignore imported stylesheets in xsltApplyAttributeSet + +------------------------------------------------------------------- +Thu Oct 19 11:15:22 UTC 2017 - pmonrealgonzalez@suse.com + +- security update: initialize random generator, CVE-2015-9019 + [bsc#934119] + + libxslt-random-seed.patch + ------------------------------------------------------------------- Mon Sep 11 18:35:31 UTC 2017 - jengelh@inai.de diff --git a/libxslt-python.spec b/libxslt-python.spec index 9193b94..a7a8dac 100644 --- a/libxslt-python.spec +++ b/libxslt-python.spec @@ -18,7 +18,7 @@ %define libname libxslt1 Name: libxslt-python -Version: 1.1.29 +Version: 1.1.30 Release: 0 Summary: Python Bindings for libxslt License: MIT @@ -31,13 +31,14 @@ Patch0: libxslt-1.1.24-linkflags.patch # pbleser: don't build the doc subdir as it's broken and we don't install # it anyway; neither build the xsltproc subdir (not packaged here, faster) Patch1: libxslt-do_not_build_doc_nor_xsltproc.patch +Patch2: libxslt-random-seed.patch BuildRequires: libgcrypt-devel BuildRequires: libgpg-error-devel BuildRequires: libtool BuildRequires: libxml2-devel -BuildRequires: libxml2-python BuildRequires: libxslt-tools BuildRequires: python-devel +BuildRequires: python-libxml2 BuildRequires: python-xml #!BuildIgnore: python Requires: %{libname} = %{version} @@ -56,6 +57,7 @@ XSLT language with XPath functions written in Python. %setup -q -n libxslt-%{version} %patch0 %patch1 +%patch2 -p1 %build autoreconf -fvi diff --git a/libxslt.changes b/libxslt.changes index c1e5ff6..baa7b28 100644 --- a/libxslt.changes +++ b/libxslt.changes @@ -1,3 +1,89 @@ +------------------------------------------------------------------- +Thu Oct 19 10:09:45 UTC 2017 - pmonrealgonzalez@suse.com + +- Update to version 1.1.30 [bsc#1063934] + * Documentation: + - Misc doc fixes + * Portability: + - Look for libxml2 via pkg-config first + * Bug Fixes: + - Also fix memory hazards in exsltFuncResultElem + - Fix NULL deref in xsltDefaultSortFunction + - Fix memory hazards in exsltFuncFunctionFunction + - Fix memory leaks in EXSLT error paths + - Fix memory leak in str:concat with empty node-set + - Fix memory leaks in error paths + - Switch to xmlUTF8Strsize in numbers.c + - Fix NULL pointer deref in xsltFormatNumberFunction + - Fix UTF-8 check in str:padding + - Fix xmlStrPrintf argument + - Check for overflow in _exsltDateParseGYear + - Fix double to int conversion + - Check for overflow in exsltDateParseDuration + - Change version of xsltMaxVars back to 1.0.24 + - Disable xsltCopyTextString optimization for extensions + - Create DOCTYPE for HTML version 5 + - Make xsl:decimal-format work with namespaces + - Remove norm:localTime extension function + - Check for integer overflow in xsltAddTextString + - Detect infinite recursion when evaluating function arguments + - Fix memory leak in xsltElementAvailableFunction + - Fix for pattern predicates calling functions + - Fix cmd.exe invocations in Makefile.mingw + - Don't try to install index.sgml + - Fix symbols.xml + - Fix heap overread in xsltFormatNumberConversion + - Fix for non-element nodes + - Fix unreachable code in xsltAddChild + - Change version number in xsl:version warning + - Avoid infinite recursion after failed param evaluation + - Stop if potential recursion is detected + - Consider built-in templates in apply-imports + - Fix precedence with multiple attribute sets + - Rework attribute set resolution + * Improvements: + - Silence tests a little + - Set LIBXML_SRC to absolute path + - Add missing #include + - Adjust expected error messages in tests + - Make xsltDebug more quiet + - New-line terminate error message that missed this convention + - Use xmlBuffers in EXSLT string functions + - Switch to xmlUTF8Strsize in EXSLT string functions + - Check for return value of xmlUTF8Strlen + - Avoid double/long round trip in FORMAT_ITEM + - Separate date and duration structs + - Check for overflow in _exsltDateDifference + - Clamp seconds field of durations + - Change _exsltDateAddDurCalc parameter types + - Fix date:difference with time zones + - Rework division/remainder arithmetic in date.c + - Remove exsltDateCastDateToNumber + - Change internal representation of years + - Optimize IS_LEAP + - Link libraries with libm + - Rename xsltCopyTreeInternal to xsltCopyTree + - Update linker version script + - Add local wildcard to version script + - Make some symbols static + - Remove redundant NULL check in xsltNumberComp + - Fix forwards compatibility for imported stylesheets + - Reduce warnings in forwards-compatible mode + - Precompute XSLT elements after preprocessing + - Fix whitespace in xsltParseStylesheetTop + - Consolidate recursion checks + - Treat XSLT_STATE_STOPPED same as errors + - Make sure that XSLT_STATE_STOPPED isn't overwritten + - Add comment regarding built-in templates and params + - Rewrite memory management of local RVTs + - Validate QNames of attribute sets + - Add xsl:attribute-set regression tests + - Ignore imported stylesheets in xsltApplyAttributeSet + +- Dropped patches fixed upstream + * libxslt-CVE-2016-4738.patch + * libxslt-1.1.28-CVE-2017-5029.patch + ------------------------------------------------------------------- Mon Sep 11 18:35:31 UTC 2017 - jengelh@inai.de diff --git a/libxslt.spec b/libxslt.spec index bbe4a33..81a5cbd 100644 --- a/libxslt.spec +++ b/libxslt.spec @@ -19,7 +19,7 @@ %define libname %{name}1 %define exname libexslt0 Name: libxslt -Version: 1.1.29 +Version: 1.1.30 Release: 0 Summary: XSL Transformation Library License: MIT AND GPL-2.0+ @@ -33,10 +33,7 @@ Source99: baselibs.conf Patch0: %{name}-1.1.24-no-net-autobuild.patch Patch1: libxslt-config-fixes.patch Patch2: 0009-Make-generate-id-deterministic.patch -Patch3: libxslt-CVE-2016-4738.patch -Patch4: libxslt-random-seed.patch -# PATCH-FIX-UPSTREAM CVE-2017-5029 bsc#1035905 -Patch5: libxslt-1.1.28-CVE-2017-5029.patch +Patch3: libxslt-random-seed.patch BuildRequires: libgcrypt-devel BuildRequires: libgpg-error-devel BuildRequires: libtool @@ -105,8 +102,6 @@ xtend the %patch1 %patch2 -p1 %patch3 -p1 -%patch4 -p1 -%patch5 -p1 %build autoreconf -fvi