Accepting request 713209 from home:pmonrealgonzalez:branches:devel:libraries:c_c++
- Security fix: [bsc#1140101, CVE-2019-13118]
* Fix uninitialized read with UTF-8 grouping chars. Read of
uninitialized stack data due to too narrow xsl:number
instruction and an invalid character
* Added libxslt-CVE-2019-13118.patch
- Security fix: [bsc#1140095, CVE-2019-13117]
* Fix uninitialized read of xsl:number token. An xsl number with
certain format strings could lead to a uninitialized read in
xsltNumberFormatInsertNumbers
* Added libxslt-CVE-2019-13117.patch
- Security fix: [bsc#1140101, CVE-2019-13118]
* Fix uninitialized read with UTF-8 grouping chars. Read of
uninitialized stack data due to too narrow xsl:number
instruction and an invalid character
* Added libxslt-CVE-2019-13118.patch
- Security fix: [bsc#1140095, CVE-2019-13117]
* Fix uninitialized read of xsl:number token. An xsl number with
certain format strings could lead to a uninitialized read in
xsltNumberFormatInsertNumbers
* Added libxslt-CVE-2019-13117.patch
OBS-URL: https://build.opensuse.org/request/show/713209
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libxslt?expand=0&rev=73
This commit is contained in:
Tomáš Chvátal
Git OBS Bridge
parent
bb783cf4f2
commit
95a83c45f5
29
libxslt-CVE-2019-13117.patch
Normal file
29
libxslt-CVE-2019-13117.patch
Normal file
@ -0,0 +1,29 @@
|
||||
From c5eb6cf3aba0af048596106ed839b4ae17ecbcb1 Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Sat, 27 Apr 2019 11:19:48 +0200
|
||||
Subject: [PATCH] Fix uninitialized read of xsl:number token
|
||||
|
||||
Found by OSS-Fuzz.
|
||||
---
|
||||
libxslt/numbers.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libxslt/numbers.c b/libxslt/numbers.c
|
||||
index 89e1f668..75c31eba 100644
|
||||
--- a/libxslt/numbers.c
|
||||
+++ b/libxslt/numbers.c
|
||||
@@ -382,7 +382,10 @@ xsltNumberFormatTokenize(const xmlChar *format,
|
||||
tokens->tokens[tokens->nTokens].token = val - 1;
|
||||
ix += len;
|
||||
val = xmlStringCurrentChar(NULL, format+ix, &len);
|
||||
- }
|
||||
+ } else {
|
||||
+ tokens->tokens[tokens->nTokens].token = (xmlChar)'0';
|
||||
+ tokens->tokens[tokens->nTokens].width = 1;
|
||||
+ }
|
||||
} else if ( (val == (xmlChar)'A') ||
|
||||
(val == (xmlChar)'a') ||
|
||||
(val == (xmlChar)'I') ||
|
||||
--
|
||||
2.21.0
|
||||
|
||||
71
libxslt-CVE-2019-13118.patch
Normal file
71
libxslt-CVE-2019-13118.patch
Normal file
@ -0,0 +1,71 @@
|
||||
From 6ce8de69330783977dd14f6569419489875fb71b Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Mon, 3 Jun 2019 13:14:45 +0200
|
||||
Subject: [PATCH] Fix uninitialized read with UTF-8 grouping chars
|
||||
|
||||
The character type in xsltFormatNumberConversion was too narrow and
|
||||
an invalid character/length combination could be passed to
|
||||
xsltNumberFormatDecimal, resulting in an uninitialized read.
|
||||
|
||||
Found by OSS-Fuzz.
|
||||
---
|
||||
libxslt/numbers.c | 5 +++--
|
||||
tests/docs/bug-222.xml | 1 +
|
||||
tests/general/bug-222.out | 2 ++
|
||||
tests/general/bug-222.xsl | 6 ++++++
|
||||
4 files changed, 12 insertions(+), 2 deletions(-)
|
||||
create mode 100644 tests/docs/bug-222.xml
|
||||
create mode 100644 tests/general/bug-222.out
|
||||
create mode 100644 tests/general/bug-222.xsl
|
||||
|
||||
diff --git a/libxslt/numbers.c b/libxslt/numbers.c
|
||||
index f1ed8846..20b99d5a 100644
|
||||
--- a/libxslt/numbers.c
|
||||
+++ b/libxslt/numbers.c
|
||||
@@ -1298,13 +1298,14 @@ OUTPUT_NUMBER:
|
||||
number = floor((scale * number + 0.5)) / scale;
|
||||
if ((self->grouping != NULL) &&
|
||||
(self->grouping[0] != 0)) {
|
||||
+ int gchar;
|
||||
|
||||
len = xmlStrlen(self->grouping);
|
||||
- pchar = xsltGetUTF8Char(self->grouping, &len);
|
||||
+ gchar = xsltGetUTF8Char(self->grouping, &len);
|
||||
xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
|
||||
format_info.integer_digits,
|
||||
format_info.group,
|
||||
- pchar, len);
|
||||
+ gchar, len);
|
||||
} else
|
||||
xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
|
||||
format_info.integer_digits,
|
||||
diff --git a/tests/docs/bug-222.xml b/tests/docs/bug-222.xml
|
||||
new file mode 100644
|
||||
index 00000000..69d62f2c
|
||||
--- /dev/null
|
||||
+++ b/tests/docs/bug-222.xml
|
||||
@@ -0,0 +1 @@
|
||||
+<doc/>
|
||||
diff --git a/tests/general/bug-222.out b/tests/general/bug-222.out
|
||||
new file mode 100644
|
||||
index 00000000..e3139698
|
||||
--- /dev/null
|
||||
+++ b/tests/general/bug-222.out
|
||||
@@ -0,0 +1,2 @@
|
||||
+<?xml version="1.0"?>
|
||||
+1⠢0
|
||||
diff --git a/tests/general/bug-222.xsl b/tests/general/bug-222.xsl
|
||||
new file mode 100644
|
||||
index 00000000..e32dc473
|
||||
--- /dev/null
|
||||
+++ b/tests/general/bug-222.xsl
|
||||
@@ -0,0 +1,6 @@
|
||||
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
|
||||
+ <xsl:decimal-format name="f" grouping-separator="⠢"/>
|
||||
+ <xsl:template match="/">
|
||||
+ <xsl:value-of select="format-number(10,'#⠢0','f')"/>
|
||||
+ </xsl:template>
|
||||
+</xsl:stylesheet>
|
||||
--
|
||||
2.21.0
|
||||
|
||||
@ -1,3 +1,21 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Jul 2 15:02:27 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
|
||||
|
||||
- Security fix: [bsc#1140101, CVE-2019-13118]
|
||||
* Fix uninitialized read with UTF-8 grouping chars. Read of
|
||||
uninitialized stack data due to too narrow xsl:number
|
||||
instruction and an invalid character
|
||||
* Added libxslt-CVE-2019-13118.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jul 2 15:00:56 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
|
||||
|
||||
- Security fix: [bsc#1140095, CVE-2019-13117]
|
||||
* Fix uninitialized read of xsl:number token. An xsl number with
|
||||
certain format strings could lead to a uninitialized read in
|
||||
xsltNumberFormatInsertNumbers
|
||||
* Added libxslt-CVE-2019-13117.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Apr 11 06:06:01 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
|
||||
|
||||
|
||||
@ -34,6 +34,10 @@ Patch1: libxslt-do_not_build_doc_nor_xsltproc.patch
|
||||
Patch2: libxslt-random-seed.patch
|
||||
# PATCH-FIX-UPSTREAM bsc#1132160 CVE-2019-11068 Fix security framework bypass
|
||||
Patch4: libxslt-CVE-2019-11068.patch
|
||||
# PATCH-FIX-UPSTREAM bsc#1140095 CVE-2019-13117 Fix uninitialized read of xsl:number token
|
||||
Patch5: libxslt-CVE-2019-13117.patch
|
||||
# PATCH-FIX-UPSTREAM bsc#1140101 CVE-2019-13118 Fix uninitialized read with UTF-8 grouping chars
|
||||
Patch6: libxslt-CVE-2019-13118.patch
|
||||
BuildRequires: libgcrypt-devel
|
||||
BuildRequires: libgpg-error-devel
|
||||
BuildRequires: libtool
|
||||
@ -61,6 +65,8 @@ XSLT language with XPath functions written in Python.
|
||||
%patch1
|
||||
%patch2 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
|
||||
%build
|
||||
autoreconf -fvi
|
||||
|
||||
@ -1,3 +1,21 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Jul 2 15:02:27 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
|
||||
|
||||
- Security fix: [bsc#1140101, CVE-2019-13118]
|
||||
* Fix uninitialized read with UTF-8 grouping chars. Read of
|
||||
uninitialized stack data due to too narrow xsl:number
|
||||
instruction and an invalid character
|
||||
* Added libxslt-CVE-2019-13118.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jul 2 15:00:56 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
|
||||
|
||||
- Security fix: [bsc#1140095, CVE-2019-13117]
|
||||
* Fix uninitialized read of xsl:number token. An xsl number with
|
||||
certain format strings could lead to a uninitialized read in
|
||||
xsltNumberFormatInsertNumbers
|
||||
* Added libxslt-CVE-2019-13117.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Apr 11 06:06:01 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
|
||||
|
||||
|
||||
@ -34,8 +34,12 @@ Patch0: %{name}-1.1.24-no-net-autobuild.patch
|
||||
Patch1: libxslt-config-fixes.patch
|
||||
Patch2: 0009-Make-generate-id-deterministic.patch
|
||||
Patch3: libxslt-random-seed.patch
|
||||
# PATCH-FIX-UPSTREAM bsc#1132160 CVE-2019-11068 Fix security framework bypass
|
||||
# PATCH-FIX-UPSTREAM bsc#1132160 CVE-2019-11068 Fix security framework bypass
|
||||
Patch4: libxslt-CVE-2019-11068.patch
|
||||
# PATCH-FIX-UPSTREAM bsc#1140095 CVE-2019-13117 Fix uninitialized read of xsl:number token
|
||||
Patch5: libxslt-CVE-2019-13117.patch
|
||||
# PATCH-FIX-UPSTREAM bsc#1140101 CVE-2019-13118 Fix uninitialized read with UTF-8 grouping chars
|
||||
Patch6: libxslt-CVE-2019-13118.patch
|
||||
BuildRequires: libgcrypt-devel
|
||||
BuildRequires: libgpg-error-devel
|
||||
BuildRequires: libtool
|
||||
@ -105,6 +109,8 @@ xtend the
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
|
||||
%build
|
||||
autoreconf -fvi
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user