diff options
Diffstat (limited to 'system/libxslt/CVE-2019-11068.patch')
-rw-r--r-- | system/libxslt/CVE-2019-11068.patch | 120 |
1 files changed, 0 insertions, 120 deletions
diff --git a/system/libxslt/CVE-2019-11068.patch b/system/libxslt/CVE-2019-11068.patch deleted file mode 100644 index db0de8a55..000000000 --- a/system/libxslt/CVE-2019-11068.patch +++ /dev/null @@ -1,120 +0,0 @@ -From e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer <wellnhofer@aevum.de> -Date: Sun, 24 Mar 2019 09:51:39 +0100 -Subject: [PATCH] Fix security framework bypass - -xsltCheckRead and xsltCheckWrite return -1 in case of error but callers -don't check for this condition and allow access. With a specially -crafted URL, xsltCheckRead could be tricked into returning an error -because of a supposedly invalid URL that would still be loaded -succesfully later on. - -Fixes #12. - -Thanks to Felix Wilhelm for the report. ---- - libxslt/documents.c | 18 ++++++++++-------- - libxslt/imports.c | 9 +++++---- - libxslt/transform.c | 9 +++++---- - libxslt/xslt.c | 9 +++++---- - 4 files changed, 25 insertions(+), 20 deletions(-) - -diff --git a/libxslt/documents.c b/libxslt/documents.c -index 3f3a7312..4aad11bb 100644 ---- a/libxslt/documents.c -+++ b/libxslt/documents.c -@@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) { - int res; - - res = xsltCheckRead(ctxt->sec, ctxt, URI); -- if (res == 0) { -- xsltTransformError(ctxt, NULL, NULL, -- "xsltLoadDocument: read rights for %s denied\n", -- URI); -+ if (res <= 0) { -+ if (res == 0) -+ xsltTransformError(ctxt, NULL, NULL, -+ "xsltLoadDocument: read rights for %s denied\n", -+ URI); - return(NULL); - } - } -@@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) { - int res; - - res = xsltCheckRead(sec, NULL, URI); -- if (res == 0) { -- xsltTransformError(NULL, NULL, NULL, -- "xsltLoadStyleDocument: read rights for %s denied\n", -- URI); -+ if (res <= 0) { -+ if (res == 0) -+ xsltTransformError(NULL, NULL, NULL, -+ "xsltLoadStyleDocument: read rights for %s denied\n", -+ URI); - return(NULL); - } - } -diff --git a/libxslt/imports.c b/libxslt/imports.c -index 874870cc..3783b247 100644 ---- a/libxslt/imports.c -+++ b/libxslt/imports.c -@@ -130,10 +130,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) { - int secres; - - secres = xsltCheckRead(sec, NULL, URI); -- if (secres == 0) { -- xsltTransformError(NULL, NULL, NULL, -- "xsl:import: read rights for %s denied\n", -- URI); -+ if (secres <= 0) { -+ if (secres == 0) -+ xsltTransformError(NULL, NULL, NULL, -+ "xsl:import: read rights for %s denied\n", -+ URI); - goto error; - } - } -diff --git a/libxslt/transform.c b/libxslt/transform.c -index 13793914..0636dbd0 100644 ---- a/libxslt/transform.c -+++ b/libxslt/transform.c -@@ -3493,10 +3493,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node, - */ - if (ctxt->sec != NULL) { - ret = xsltCheckWrite(ctxt->sec, ctxt, filename); -- if (ret == 0) { -- xsltTransformError(ctxt, NULL, inst, -- "xsltDocumentElem: write rights for %s denied\n", -- filename); -+ if (ret <= 0) { -+ if (ret == 0) -+ xsltTransformError(ctxt, NULL, inst, -+ "xsltDocumentElem: write rights for %s denied\n", -+ filename); - xmlFree(URL); - xmlFree(filename); - return; -diff --git a/libxslt/xslt.c b/libxslt/xslt.c -index 780a5ad7..a234eb79 100644 ---- a/libxslt/xslt.c -+++ b/libxslt/xslt.c -@@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) { - int res; - - res = xsltCheckRead(sec, NULL, filename); -- if (res == 0) { -- xsltTransformError(NULL, NULL, NULL, -- "xsltParseStylesheetFile: read rights for %s denied\n", -- filename); -+ if (res <= 0) { -+ if (res == 0) -+ xsltTransformError(NULL, NULL, NULL, -+ "xsltParseStylesheetFile: read rights for %s denied\n", -+ filename); - return(NULL); - } - } --- -2.21.0 - |