pool/libxslt
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 535219 from devel:libraries:c_c++

Browse Source 
1

OBS-URL: https://build.opensuse.org/request/show/535219
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libxslt?expand=0&rev=54
This commit is contained in:
Dominique Leuenberger 2017-10-28 12:17:38 +00:00 committed by Git OBS Bridge
commit 49073e7fda
10 changed files with 194 additions and 125 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
libxslt-1.1.28-CVE-2017-5029.patch
View File

@ -1,74 +0,0 @@
From 08ab2774b870de1c7b5a48693df75e8154addae5 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Thu, 12 Jan 2017 15:39:52 +0100
Subject: Check for integer overflow in xsltAddTextString
Limit buffer size in xsltAddTextString to INT_MAX. The issue can be
exploited to trigger an out of bounds write on 64-bit systems.
Originally reported to Chromium:
https://crbug.com/676623
---
libxslt/transform.c | 25 ++++++++++++++++++++++---
libxslt/xsltInternals.h | 4 ++--
2 files changed, 24 insertions(+), 5 deletions(-)
diff --git a/libxslt/transform.c b/libxslt/transform.c
index 519133f..02bff34 100644
--- a/libxslt/transform.c
+++ b/libxslt/transform.c
@@ -813,13 +813,32 @@ xsltAddTextString(xsltTransformContextPtr ctxt, xmlNodePtr target,
return(target);
if (ctxt->lasttext == target->content) {
+ int minSize;
- if (ctxt->lasttuse + len >= ctxt->lasttsize) {
+ /* Check for integer overflow accounting for NUL terminator. */
+ if (len >= INT_MAX - ctxt->lasttuse) {
+ xsltTransformError(ctxt, NULL, target,
+ "xsltCopyText: text allocation failed\n");
+ return(NULL);
+ }
+ minSize = ctxt->lasttuse + len + 1;
+
+ if (ctxt->lasttsize < minSize) {
xmlChar *newbuf;
int size;
+ int extra;
+
+ /* Double buffer size but increase by at least 100 bytes. */
+ extra = minSize < 100 ? 100 : minSize;
+
+ /* Check for integer overflow. */
+ if (extra > INT_MAX - ctxt->lasttsize) {
+ size = INT_MAX;
+ }
+ else {
+ size = ctxt->lasttsize + extra;
+ }
- size = ctxt->lasttsize + len + 100;
- size *= 2;
newbuf = (xmlChar *) xmlRealloc(target->content,size);
if (newbuf == NULL) {
xsltTransformError(ctxt, NULL, target,
diff --git a/libxslt/xsltInternals.h b/libxslt/xsltInternals.h
index 060b178..5ad1771 100644
--- a/libxslt/xsltInternals.h
+++ b/libxslt/xsltInternals.h
@@ -1754,8 +1754,8 @@ struct _xsltTransformContext {
* Speed optimization when coalescing text nodes
*/
const xmlChar *lasttext; /* last text node content */
- unsigned int lasttsize; /* last text node size */
- unsigned int lasttuse; /* last text node use */
+ int lasttsize; /* last text node size */
+ int lasttuse; /* last text node use */
/*
* Per Context Debugging
*/
--
cgit v0.12

3
libxslt-1.1.29.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:b5976e3857837e7617b29f2249ebb5eeac34e249208d31f1fbf7a6ba7a4090ce
size 3428524

7
libxslt-1.1.29.tar.gz.asc
View File

@ -1,7 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEABECAAYFAldDtVwACgkQRga4pd6VvB8F5ACbBAolNImNScVOescshMRuEwFB
KOkAnA5I+He/EmWeyL5/+BXPlWCd/NDn
=/Fe0
-----END PGP SIGNATURE-----

3
libxslt-1.1.30.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:ba65236116de8326d83378b2bd929879fa185195bc530b9d1aba72107910b6b3
size 3444029

10
libxslt-1.1.30.tar.gz.asc Normal file
View File

@ -0,0 +1,10 @@
-----BEGIN PGP SIGNATURE-----
iQEcBAABAgAGBQJZrVbGAAoJEBVYiyZZa+pdVrMH/Ru0J8zvwx8Geu6PX8ykvdEU
o5U/izwg8C8a1mtI9M8PcVUsERQinBcngO14Vk0V0dXHLp7/IEpRuXksCYkcTJL9
HawU2uDXTE/VwUl9aM2OXJOCk9W/JUkElbqEG11LCfU6uGlV+mFpLVO+eMDPxlRZ
v2LMs/yBFSiwNw757771ADShdRe3QxqhRscikK/yz/BRESdqls3/3y6GSEV2rx2n
VKVvsuHFisviwEn+1pvqcAGNCm0pIkPX6/nr+ayK3rBX7tmS493Stp6e/qUYKo6e
5cmdTkPhpzICQH2yqeUlfMp1M1nN50oShpvQqyjmpI+SV1udw08suIxVTDUCTRc=
=LjYD
-----END PGP SIGNATURE-----

32
libxslt-CVE-2016-4738.patch
View File

@ -1,32 +0,0 @@
From eb1030de31165b68487f288308f9d1810fed6880 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Fri, 10 Jun 2016 14:23:58 +0200
Subject: Fix heap overread in xsltFormatNumberConversion
An empty decimal-separator could cause a heap overread. This can be
exploited to leak a couple of bytes after the buffer that holds the
pattern string.
Found with afl-fuzz and ASan.
---
libxslt/numbers.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libxslt/numbers.c b/libxslt/numbers.c
index d1549b4..e78c46b 100644
--- a/libxslt/numbers.c
+++ b/libxslt/numbers.c
@@ -1090,7 +1090,8 @@ xsltFormatNumberConversion(xsltDecimalFormatPtr self,
}
/* We have finished the integer part, now work on fraction */
- if (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) {
+ if ( (*the_format != 0) &&
+ (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) ) {
format_info.add_decimal = TRUE;
the_format += xsltUTF8Size(the_format); /* Skip over the decimal */
}
--
cgit v0.12

89
libxslt-python.changes
View File

@ -1,3 +1,92 @@
-------------------------------------------------------------------
Thu Oct 19 11:18:49 UTC 2017 - pmonrealgonzalez@suse.com
- Update to version 1.1.30 [bsc#1063934]
* Documentation:
- Misc doc fixes
* Portability:
- Look for libxml2 via pkg-config first
* Bug Fixes:
- Also fix memory hazards in exsltFuncResultElem
- Fix NULL deref in xsltDefaultSortFunction
- Fix memory hazards in exsltFuncFunctionFunction
- Fix memory leaks in EXSLT error paths
- Fix memory leak in str:concat with empty node-set
- Fix memory leaks in error paths
- Switch to xmlUTF8Strsize in numbers.c
- Fix NULL pointer deref in xsltFormatNumberFunction
- Fix UTF-8 check in str:padding
- Fix xmlStrPrintf argument
- Check for overflow in _exsltDateParseGYear
- Fix double to int conversion
- Check for overflow in exsltDateParseDuration
- Change version of xsltMaxVars back to 1.0.24
- Disable xsltCopyTextString optimization for extensions
- Create DOCTYPE for HTML version 5
- Make xsl:decimal-format work with namespaces
- Remove norm:localTime extension function
- Check for integer overflow in xsltAddTextString
- Detect infinite recursion when evaluating function arguments
- Fix memory leak in xsltElementAvailableFunction
- Fix for pattern predicates calling functions
- Fix cmd.exe invocations in Makefile.mingw
- Don't try to install index.sgml
- Fix symbols.xml
- Fix heap overread in xsltFormatNumberConversion
- Fix <xsl:number level="any"/> for non-element nodes
- Fix unreachable code in xsltAddChild
- Change version number in xsl:version warning
- Avoid infinite recursion after failed param evaluation
- Stop if potential recursion is detected
- Consider built-in templates in apply-imports
- Fix precedence with multiple attribute sets
- Rework attribute set resolution
* Improvements:
- Silence tests a little
- Set LIBXML_SRC to absolute path
- Add missing #include
- Adjust expected error messages in tests
- Make xsltDebug more quiet
- New-line terminate error message that missed this convention
- Use xmlBuffers in EXSLT string functions
- Switch to xmlUTF8Strsize in EXSLT string functions
- Check for return value of xmlUTF8Strlen
- Avoid double/long round trip in FORMAT_ITEM
- Separate date and duration structs
- Check for overflow in _exsltDateDifference
- Clamp seconds field of durations
- Change _exsltDateAddDurCalc parameter types
- Fix date:difference with time zones
- Rework division/remainder arithmetic in date.c
- Remove exsltDateCastDateToNumber
- Change internal representation of years
- Optimize IS_LEAP
- Link libraries with libm
- Rename xsltCopyTreeInternal to xsltCopyTree
- Update linker version script
- Add local wildcard to version script
- Make some symbols static
- Remove redundant NULL check in xsltNumberComp
- Fix forwards compatibility for imported stylesheets
- Reduce warnings in forwards-compatible mode
- Precompute XSLT elements after preprocessing
- Fix whitespace in xsltParseStylesheetTop
- Consolidate recursion checks
- Treat XSLT_STATE_STOPPED same as errors
- Make sure that XSLT_STATE_STOPPED isn't overwritten
- Add comment regarding built-in templates and params
- Rewrite memory management of local RVTs
- Validate QNames of attribute sets
- Add xsl:attribute-set regression tests
- Ignore imported stylesheets in xsltApplyAttributeSet
-------------------------------------------------------------------
Thu Oct 19 11:15:22 UTC 2017 - pmonrealgonzalez@suse.com
- security update: initialize random generator, CVE-2015-9019
[bsc#934119]
+ libxslt-random-seed.patch
-------------------------------------------------------------------
Mon Sep 11 18:35:31 UTC 2017 - jengelh@inai.de

6
libxslt-python.spec
View File

@ -18,7 +18,7 @@
%define libname libxslt1
Name: libxslt-python
Version: 1.1.29
Version: 1.1.30
Release: 0
Summary: Python Bindings for libxslt
License: MIT
@ -31,13 +31,14 @@ Patch0: libxslt-1.1.24-linkflags.patch
# pbleser: don't build the doc subdir as it's broken and we don't install
# it anyway; neither build the xsltproc subdir (not packaged here, faster)
Patch1: libxslt-do_not_build_doc_nor_xsltproc.patch
Patch2: libxslt-random-seed.patch
BuildRequires: libgcrypt-devel
BuildRequires: libgpg-error-devel
BuildRequires: libtool
BuildRequires: libxml2-devel
BuildRequires: libxml2-python
BuildRequires: libxslt-tools
BuildRequires: python-devel
BuildRequires: python-libxml2
BuildRequires: python-xml
#!BuildIgnore: python
Requires: %{libname} = %{version}
@ -56,6 +57,7 @@ XSLT language with XPath functions written in Python.
%setup -q -n libxslt-%{version}
%patch0
%patch1
%patch2 -p1
%build
autoreconf -fvi

86
libxslt.changes
View File

@ -1,3 +1,89 @@
-------------------------------------------------------------------
Thu Oct 19 10:09:45 UTC 2017 - pmonrealgonzalez@suse.com
- Update to version 1.1.30 [bsc#1063934]
* Documentation:
- Misc doc fixes
* Portability:
- Look for libxml2 via pkg-config first
* Bug Fixes:
- Also fix memory hazards in exsltFuncResultElem
- Fix NULL deref in xsltDefaultSortFunction
- Fix memory hazards in exsltFuncFunctionFunction
- Fix memory leaks in EXSLT error paths
- Fix memory leak in str:concat with empty node-set
- Fix memory leaks in error paths
- Switch to xmlUTF8Strsize in numbers.c
- Fix NULL pointer deref in xsltFormatNumberFunction
- Fix UTF-8 check in str:padding
- Fix xmlStrPrintf argument
- Check for overflow in _exsltDateParseGYear
- Fix double to int conversion
- Check for overflow in exsltDateParseDuration
- Change version of xsltMaxVars back to 1.0.24
- Disable xsltCopyTextString optimization for extensions
- Create DOCTYPE for HTML version 5
- Make xsl:decimal-format work with namespaces
- Remove norm:localTime extension function
- Check for integer overflow in xsltAddTextString
- Detect infinite recursion when evaluating function arguments
- Fix memory leak in xsltElementAvailableFunction
- Fix for pattern predicates calling functions
- Fix cmd.exe invocations in Makefile.mingw
- Don't try to install index.sgml
- Fix symbols.xml
- Fix heap overread in xsltFormatNumberConversion
- Fix <xsl:number level="any"/> for non-element nodes
- Fix unreachable code in xsltAddChild
- Change version number in xsl:version warning
- Avoid infinite recursion after failed param evaluation
- Stop if potential recursion is detected
- Consider built-in templates in apply-imports
- Fix precedence with multiple attribute sets
- Rework attribute set resolution
* Improvements:
- Silence tests a little
- Set LIBXML_SRC to absolute path
- Add missing #include
- Adjust expected error messages in tests
- Make xsltDebug more quiet
- New-line terminate error message that missed this convention
- Use xmlBuffers in EXSLT string functions
- Switch to xmlUTF8Strsize in EXSLT string functions
- Check for return value of xmlUTF8Strlen
- Avoid double/long round trip in FORMAT_ITEM
- Separate date and duration structs
- Check for overflow in _exsltDateDifference
- Clamp seconds field of durations
- Change _exsltDateAddDurCalc parameter types
- Fix date:difference with time zones
- Rework division/remainder arithmetic in date.c
- Remove exsltDateCastDateToNumber
- Change internal representation of years
- Optimize IS_LEAP
- Link libraries with libm
- Rename xsltCopyTreeInternal to xsltCopyTree
- Update linker version script
- Add local wildcard to version script
- Make some symbols static
- Remove redundant NULL check in xsltNumberComp
- Fix forwards compatibility for imported stylesheets
- Reduce warnings in forwards-compatible mode
- Precompute XSLT elements after preprocessing
- Fix whitespace in xsltParseStylesheetTop
- Consolidate recursion checks
- Treat XSLT_STATE_STOPPED same as errors
- Make sure that XSLT_STATE_STOPPED isn't overwritten
- Add comment regarding built-in templates and params
- Rewrite memory management of local RVTs
- Validate QNames of attribute sets
- Add xsl:attribute-set regression tests
- Ignore imported stylesheets in xsltApplyAttributeSet
- Dropped patches fixed upstream
* libxslt-CVE-2016-4738.patch
* libxslt-1.1.28-CVE-2017-5029.patch
-------------------------------------------------------------------
Mon Sep 11 18:35:31 UTC 2017 - jengelh@inai.de

9
libxslt.spec
View File

@ -19,7 +19,7 @@
%define libname %{name}1
%define exname libexslt0
Name: libxslt
Version: 1.1.29
Version: 1.1.30
Release: 0
Summary: XSL Transformation Library
License: MIT AND GPL-2.0+
@ -33,10 +33,7 @@ Source99: baselibs.conf
Patch0: %{name}-1.1.24-no-net-autobuild.patch
Patch1: libxslt-config-fixes.patch
Patch2: 0009-Make-generate-id-deterministic.patch
Patch3: libxslt-CVE-2016-4738.patch
Patch4: libxslt-random-seed.patch
# PATCH-FIX-UPSTREAM CVE-2017-5029 bsc#1035905
Patch5: libxslt-1.1.28-CVE-2017-5029.patch
Patch3: libxslt-random-seed.patch
BuildRequires: libgcrypt-devel
BuildRequires: libgpg-error-devel
BuildRequires: libtool
@ -105,8 +102,6 @@ xtend the
%patch1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%build
autoreconf -fvi