Accepting request 741566 from home:pmonrealgonzalez:branches:devel:libraries:c_c++

- Security fix [bsc#1154609, CVE-2019-18197] * Fix dangling pointer in xsltCopyText * Add libxslt-CVE-2019-18197.patch OBS-URL: https://build.opensuse.org/request/show/741566 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libxslt?expand=0&rev=80
2019-10-21 14:19:40 +00:00 · 2019-10-21 14:19:40 +00:00 · 8e9f5d7cb1
commit 8e9f5d7cb1
parent c1e05f2057
3 changed files with 40 additions and 0 deletions
--- a/libxslt-CVE-2019-18197.patch
+++ b/libxslt-CVE-2019-18197.patch
@ -0,0 +1,30 @@
+From 2232473733b7313d67de8836ea3b29eec6e8e285 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 17 Aug 2019 16:51:53 +0200
+Subject: [PATCH] Fix dangling pointer in xsltCopyText
+
+xsltCopyText didn't reset ctxt->lasttext in some cases which could
+lead to various memory errors in relation with CDATA sections in input
+documents.
+
+Found by OSS-Fuzz.
+---
+ libxslt/transform.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index 95ebd073..d7ab0b66 100644
+--- a/libxslt/transform.c
+++ b/libxslt/transform.c
+@@ -1094,6 +1094,8 @@ xsltCopyText(xsltTransformContextPtr ctxt, xmlNodePtr target,
+ 	    if ((copy->content = xmlStrdup(cur->content)) == NULL)
+ 		return NULL;
+ 	}
+
+	ctxt->lasttext = NULL;
+     } else {
+         /*
+ 	 * normal processing. keep counters to extend the text node
+-- 
+2.22.0
+
--- a/libxslt.changes
+++ b/libxslt.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Mon Oct 21 13:55:37 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
+
+- Security fix [bsc#1154609, CVE-2019-18197]
+  * Fix dangling pointer in xsltCopyText
+  * Add libxslt-CVE-2019-18197.patch
+
 -------------------------------------------------------------------
 Tue Oct  1 08:24:01 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com>

--- a/libxslt.spec
+++ b/libxslt.spec
@ -40,6 +40,8 @@ Patch4:         libxslt-CVE-2019-11068.patch
 Patch5:         libxslt-CVE-2019-13117.patch
 # PATCH-FIX-UPSTREAM bsc#1140101 CVE-2019-13118 Fix uninitialized read with UTF-8 grouping chars
 Patch6:         libxslt-CVE-2019-13118.patch
+# PATCH-FIX-UPSTREAM bsc#1154609 CVE-2019-18197 Fix dangling pointer in xsltCopyText
+Patch7:         libxslt-CVE-2019-18197.patch
 BuildRequires:  libgcrypt-devel
 BuildRequires:  libgpg-error-devel
 BuildRequires:  libtool
@ -112,6 +114,7 @@ xtend the
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
+%patch7 -p1

 %build
 autoreconf -fvi