Accepting request 693134 from devel:libraries:c_c++

OBS-URL: https://build.opensuse.org/request/show/693134
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libxslt?expand=0&rev=57

libxslt-CVE-2019-11068.patch

@@ -0,0 +1,120 @@
+From e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sun, 24 Mar 2019 09:51:39 +0100
+Subject: [PATCH] Fix security framework bypass
+
+xsltCheckRead and xsltCheckWrite return -1 in case of error but callers
+don't check for this condition and allow access. With a specially
+crafted URL, xsltCheckRead could be tricked into returning an error
+because of a supposedly invalid URL that would still be loaded
+succesfully later on.
+
+Fixes #12.
+
+Thanks to Felix Wilhelm for the report.
+---
+ libxslt/documents.c | 18 ++++++++++--------
+ libxslt/imports.c   |  9 +++++----
+ libxslt/transform.c |  9 +++++----
+ libxslt/xslt.c      |  9 +++++----
+ 4 files changed, 25 insertions(+), 20 deletions(-)
+
+diff --git a/libxslt/documents.c b/libxslt/documents.c
+index 3f3a7312..4aad11bb 100644
+--- a/libxslt/documents.c
++++ b/libxslt/documents.c
+@@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) {
+ 	int res;
+ 
+ 	res = xsltCheckRead(ctxt->sec, ctxt, URI);
+-	if (res == 0) {
+-	    xsltTransformError(ctxt, NULL, NULL,
+-		 "xsltLoadDocument: read rights for %s denied\n",
+-			     URI);
++	if (res <= 0) {
++            if (res == 0)
++                xsltTransformError(ctxt, NULL, NULL,
++                     "xsltLoadDocument: read rights for %s denied\n",
++                                 URI);
+ 	    return(NULL);
+ 	}
+     }
+@@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) {
+ 	int res;
+ 
+ 	res = xsltCheckRead(sec, NULL, URI);
+-	if (res == 0) {
+-	    xsltTransformError(NULL, NULL, NULL,
+-		 "xsltLoadStyleDocument: read rights for %s denied\n",
+-			     URI);
++	if (res <= 0) {
++            if (res == 0)
++                xsltTransformError(NULL, NULL, NULL,
++                     "xsltLoadStyleDocument: read rights for %s denied\n",
++                                 URI);
+ 	    return(NULL);
+ 	}
+     }
+diff --git a/libxslt/imports.c b/libxslt/imports.c
+index 874870cc..3783b247 100644
+--- a/libxslt/imports.c
++++ b/libxslt/imports.c
+@@ -130,10 +130,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) {
+ 	int secres;
+ 
+ 	secres = xsltCheckRead(sec, NULL, URI);
+-	if (secres == 0) {
+-	    xsltTransformError(NULL, NULL, NULL,
+-		 "xsl:import: read rights for %s denied\n",
+-			     URI);
++	if (secres <= 0) {
++            if (secres == 0)
++                xsltTransformError(NULL, NULL, NULL,
++                     "xsl:import: read rights for %s denied\n",
++                                 URI);
+ 	    goto error;
+ 	}
+     }
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index 13793914..0636dbd0 100644
+--- a/libxslt/transform.c
++++ b/libxslt/transform.c
+@@ -3493,10 +3493,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node,
+      */
+     if (ctxt->sec != NULL) {
+ 	ret = xsltCheckWrite(ctxt->sec, ctxt, filename);
+-	if (ret == 0) {
+-	    xsltTransformError(ctxt, NULL, inst,
+-		 "xsltDocumentElem: write rights for %s denied\n",
+-			     filename);
++	if (ret <= 0) {
++            if (ret == 0)
++                xsltTransformError(ctxt, NULL, inst,
++                     "xsltDocumentElem: write rights for %s denied\n",
++                                 filename);
+ 	    xmlFree(URL);
+ 	    xmlFree(filename);
+ 	    return;
+diff --git a/libxslt/xslt.c b/libxslt/xslt.c
+index 780a5ad7..a234eb79 100644
+--- a/libxslt/xslt.c
++++ b/libxslt/xslt.c
+@@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) {
+ 	int res;
+ 
+ 	res = xsltCheckRead(sec, NULL, filename);
+-	if (res == 0) {
+-	    xsltTransformError(NULL, NULL, NULL,
+-		 "xsltParseStylesheetFile: read rights for %s denied\n",
+-			     filename);
++	if (res <= 0) {
++            if (res == 0)
++                xsltTransformError(NULL, NULL, NULL,
++                     "xsltParseStylesheetFile: read rights for %s denied\n",
++                                 filename);
+ 	    return(NULL);
+ 	}
+     }
+-- 
+2.18.1
+

libxslt-python.changes

@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Thu Apr 11 06:06:01 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
+
+- Security fix: [bsc#1132160, CVE-2019-11068]
+  * Bypass of a protection mechanism because callers of xsltCheckRead
+    and xsltCheckWrite permit access even upon receiving a -1 error
+    code. xsltCheckRead can return -1 for a crafted URL that is not
+    actually invalid and is subsequently loaded.
+  * Added libxslt-CVE-2019-11068.patch
+
 -------------------------------------------------------------------
 Mon Mar  4 13:11:30 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
 

libxslt-python.spec

@@ -32,6 +32,8 @@ Patch0:         libxslt-1.1.24-linkflags.patch
 # it anyway; neither build the xsltproc subdir (not packaged here, faster)
 Patch1:         libxslt-do_not_build_doc_nor_xsltproc.patch
 Patch2:         libxslt-random-seed.patch
+# PATCH-FIX-UPSTREAM bsc#1132160 CVE-2019-11068 Fix security framework bypass
+Patch4:         libxslt-CVE-2019-11068.patch
 BuildRequires:  libgcrypt-devel
 BuildRequires:  libgpg-error-devel
 BuildRequires:  libtool
@@ -58,6 +60,7 @@ XSLT language with XPath functions written in Python.
 %patch0
 %patch1
 %patch2 -p1
+%patch4 -p1
 
 %build
 autoreconf -fvi

libxslt.changes

@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Thu Apr 11 06:06:01 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
+
+- Security fix: [bsc#1132160, CVE-2019-11068]
+  * Bypass of a protection mechanism because callers of xsltCheckRead
+    and xsltCheckWrite permit access even upon receiving a -1 error
+    code. xsltCheckRead can return -1 for a crafted URL that is not
+    actually invalid and is subsequently loaded.
+  * Added libxslt-CVE-2019-11068.patch
+
 -------------------------------------------------------------------
 Mon Mar  4 13:11:30 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
 

libxslt.spec

@@ -34,6 +34,8 @@ Patch0:         %{name}-1.1.24-no-net-autobuild.patch
 Patch1:         libxslt-config-fixes.patch
 Patch2:         0009-Make-generate-id-deterministic.patch
 Patch3:         libxslt-random-seed.patch
+# PATCH-FIX-UPSTREAM bsc#1132160 CVE-2019-11068 Fix security framework bypass 
+Patch4:         libxslt-CVE-2019-11068.patch
 BuildRequires:  libgcrypt-devel
 BuildRequires:  libgpg-error-devel
 BuildRequires:  libtool
@@ -102,6 +104,7 @@ xtend the
 %patch1
 %patch2 -p1
 %patch3 -p1
+%patch4 -p1
 
 %build
 autoreconf -fvi