diff options
author | Max Rees <maxcrees@me.com> | 2019-07-23 18:07:09 -0400 |
---|---|---|
committer | Max Rees <maxcrees@me.com> | 2019-07-23 18:07:09 -0400 |
commit | 0b09c67b8eba048295e57af90599dd74d1e30df8 (patch) | |
tree | 9fa18b7e838bdcb803e806a8f893217a11f184e0 | |
parent | b7ffaa4d55e1faf4de0f8e6a2edf372fedfeaf71 (diff) | |
download | packages-0b09c67b8eba048295e57af90599dd74d1e30df8.tar.gz packages-0b09c67b8eba048295e57af90599dd74d1e30df8.tar.bz2 packages-0b09c67b8eba048295e57af90599dd74d1e30df8.tar.xz packages-0b09c67b8eba048295e57af90599dd74d1e30df8.zip |
system/libxslt: patch for CVE-2019-13117, CVE-2019-13118
-rw-r--r-- | system/libxslt/APKBUILD | 13 | ||||
-rw-r--r-- | system/libxslt/CVE-2019-13117.patch | 29 | ||||
-rw-r--r-- | system/libxslt/CVE-2019-13118.patch | 71 |
3 files changed, 110 insertions, 3 deletions
diff --git a/system/libxslt/APKBUILD b/system/libxslt/APKBUILD index 49a07d7cf..c387c6d45 100644 --- a/system/libxslt/APKBUILD +++ b/system/libxslt/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=libxslt pkgver=1.1.33 -pkgrel=1 +pkgrel=2 pkgdesc="XML stylesheet transformation library" url="http://xmlsoft.org/XSLT/" arch="all" @@ -10,13 +10,18 @@ license="SGI-B-2.0" makedepends="libxml2-dev libgcrypt-dev libgpg-error-dev python3-dev" subpackages="$pkgname-doc $pkgname-dev" source="ftp://xmlsoft.org/$pkgname/$pkgname-$pkgver.tar.gz - CVE-2019-11068.patch" + CVE-2019-11068.patch + CVE-2019-13117.patch + CVE-2019-13118.patch" # secfixes: # 1.1.29-r1: # - CVE-2017-5029 # 1.1.33-r1: # - CVE-2019-11068 +# 1.1.33-r2: +# - CVE-2019-13117 +# - CVE-2019-13118 build() { ./configure \ @@ -35,4 +40,6 @@ package() { } sha512sums="ebbe438a38bf6355950167d3b580edc22baa46a77068c18c42445c1c9c716d42bed3b30c5cd5bec359ab32d03843224dae458e9e32dc61693e7cf4bab23536e0 libxslt-1.1.33.tar.gz -48982b7486351d1eb2853f963db14381dd983c2b4347b7cbeb4507258146ebd8fca125506b2d15d4cbfd2e9ef3fef6341de41a2bfdffc3b0f6bea272b37d9e41 CVE-2019-11068.patch" +48982b7486351d1eb2853f963db14381dd983c2b4347b7cbeb4507258146ebd8fca125506b2d15d4cbfd2e9ef3fef6341de41a2bfdffc3b0f6bea272b37d9e41 CVE-2019-11068.patch +b311e253a5c4f425f84344397974562a76b253ca14f63b48af7aa0faa561d5f728cb73ee63024993fad3ee7fc7eddb9c9d7310ab8faa5f6a14fd1c6d0037999f CVE-2019-13117.patch +44d3bb5dda6965f48e3af96c77ffa5f1f2e3c191cf1f28ac1b7b3501420393b5628b12b99fe4008b5056384dfebfdcbbee7625f0644cfc27101424a051415da0 CVE-2019-13118.patch" diff --git a/system/libxslt/CVE-2019-13117.patch b/system/libxslt/CVE-2019-13117.patch new file mode 100644 index 000000000..78ebb9075 --- /dev/null +++ b/system/libxslt/CVE-2019-13117.patch @@ -0,0 +1,29 @@ +From c5eb6cf3aba0af048596106ed839b4ae17ecbcb1 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Sat, 27 Apr 2019 11:19:48 +0200 +Subject: [PATCH] Fix uninitialized read of xsl:number token + +Found by OSS-Fuzz. +--- + libxslt/numbers.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/libxslt/numbers.c b/libxslt/numbers.c +index 89e1f668..75c31eba 100644 +--- a/libxslt/numbers.c ++++ b/libxslt/numbers.c +@@ -382,7 +382,10 @@ xsltNumberFormatTokenize(const xmlChar *format, + tokens->tokens[tokens->nTokens].token = val - 1; + ix += len; + val = xmlStringCurrentChar(NULL, format+ix, &len); +- } ++ } else { ++ tokens->tokens[tokens->nTokens].token = (xmlChar)'0'; ++ tokens->tokens[tokens->nTokens].width = 1; ++ } + } else if ( (val == (xmlChar)'A') || + (val == (xmlChar)'a') || + (val == (xmlChar)'I') || +-- +2.21.0 + diff --git a/system/libxslt/CVE-2019-13118.patch b/system/libxslt/CVE-2019-13118.patch new file mode 100644 index 000000000..b377f4bd6 --- /dev/null +++ b/system/libxslt/CVE-2019-13118.patch @@ -0,0 +1,71 @@ +From 6ce8de69330783977dd14f6569419489875fb71b Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Mon, 3 Jun 2019 13:14:45 +0200 +Subject: [PATCH] Fix uninitialized read with UTF-8 grouping chars + +The character type in xsltFormatNumberConversion was too narrow and +an invalid character/length combination could be passed to +xsltNumberFormatDecimal, resulting in an uninitialized read. + +Found by OSS-Fuzz. +--- + libxslt/numbers.c | 5 +++-- + tests/docs/bug-222.xml | 1 + + tests/general/bug-222.out | 2 ++ + tests/general/bug-222.xsl | 6 ++++++ + 4 files changed, 12 insertions(+), 2 deletions(-) + create mode 100644 tests/docs/bug-222.xml + create mode 100644 tests/general/bug-222.out + create mode 100644 tests/general/bug-222.xsl + +diff --git a/libxslt/numbers.c b/libxslt/numbers.c +index f1ed8846..20b99d5a 100644 +--- a/libxslt/numbers.c ++++ b/libxslt/numbers.c +@@ -1298,13 +1298,14 @@ OUTPUT_NUMBER: + number = floor((scale * number + 0.5)) / scale; + if ((self->grouping != NULL) && + (self->grouping[0] != 0)) { ++ int gchar; + + len = xmlStrlen(self->grouping); +- pchar = xsltGetUTF8Char(self->grouping, &len); ++ gchar = xsltGetUTF8Char(self->grouping, &len); + xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0], + format_info.integer_digits, + format_info.group, +- pchar, len); ++ gchar, len); + } else + xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0], + format_info.integer_digits, +diff --git a/tests/docs/bug-222.xml b/tests/docs/bug-222.xml +new file mode 100644 +index 00000000..69d62f2c +--- /dev/null ++++ b/tests/docs/bug-222.xml +@@ -0,0 +1 @@ ++<doc/> +diff --git a/tests/general/bug-222.out b/tests/general/bug-222.out +new file mode 100644 +index 00000000..e3139698 +--- /dev/null ++++ b/tests/general/bug-222.out +@@ -0,0 +1,2 @@ ++<?xml version="1.0"?> ++1⠢0 +diff --git a/tests/general/bug-222.xsl b/tests/general/bug-222.xsl +new file mode 100644 +index 00000000..e32dc473 +--- /dev/null ++++ b/tests/general/bug-222.xsl +@@ -0,0 +1,6 @@ ++<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0"> ++ <xsl:decimal-format name="f" grouping-separator="⠢"/> ++ <xsl:template match="/"> ++ <xsl:value-of select="format-number(10,'#⠢0','f')"/> ++ </xsl:template> ++</xsl:stylesheet> +-- +2.21.0 + |