From 0b09c67b8eba048295e57af90599dd74d1e30df8 Mon Sep 17 00:00:00 2001
From: Max Rees <maxcrees@me.com>
Date: Tue, 23 Jul 2019 18:07:09 -0400
Subject: system/libxslt: patch for CVE-2019-13117, CVE-2019-13118

---
 system/libxslt/APKBUILD             | 13 +++++--
 system/libxslt/CVE-2019-13117.patch | 29 +++++++++++++++
 system/libxslt/CVE-2019-13118.patch | 71 +++++++++++++++++++++++++++++++++++++
 3 files changed, 110 insertions(+), 3 deletions(-)
 create mode 100644 system/libxslt/CVE-2019-13117.patch
 create mode 100644 system/libxslt/CVE-2019-13118.patch

(limited to 'system')

diff --git a/system/libxslt/APKBUILD b/system/libxslt/APKBUILD
index 49a07d7cf..c387c6d45 100644
--- a/system/libxslt/APKBUILD
+++ b/system/libxslt/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=libxslt
 pkgver=1.1.33
-pkgrel=1
+pkgrel=2
 pkgdesc="XML stylesheet transformation library"
 url="http://xmlsoft.org/XSLT/"
 arch="all"
@@ -10,13 +10,18 @@ license="SGI-B-2.0"
 makedepends="libxml2-dev libgcrypt-dev libgpg-error-dev python3-dev"
 subpackages="$pkgname-doc $pkgname-dev"
 source="ftp://xmlsoft.org/$pkgname/$pkgname-$pkgver.tar.gz
-	CVE-2019-11068.patch"
+	CVE-2019-11068.patch
+	CVE-2019-13117.patch
+	CVE-2019-13118.patch"
 
 # secfixes:
 #   1.1.29-r1:
 #     - CVE-2017-5029
 #   1.1.33-r1:
 #     - CVE-2019-11068
+#   1.1.33-r2:
+#     - CVE-2019-13117
+#     - CVE-2019-13118
 
 build() {
 	./configure \
@@ -35,4 +40,6 @@ package() {
 }
 
 sha512sums="ebbe438a38bf6355950167d3b580edc22baa46a77068c18c42445c1c9c716d42bed3b30c5cd5bec359ab32d03843224dae458e9e32dc61693e7cf4bab23536e0  libxslt-1.1.33.tar.gz
-48982b7486351d1eb2853f963db14381dd983c2b4347b7cbeb4507258146ebd8fca125506b2d15d4cbfd2e9ef3fef6341de41a2bfdffc3b0f6bea272b37d9e41  CVE-2019-11068.patch"
+48982b7486351d1eb2853f963db14381dd983c2b4347b7cbeb4507258146ebd8fca125506b2d15d4cbfd2e9ef3fef6341de41a2bfdffc3b0f6bea272b37d9e41  CVE-2019-11068.patch
+b311e253a5c4f425f84344397974562a76b253ca14f63b48af7aa0faa561d5f728cb73ee63024993fad3ee7fc7eddb9c9d7310ab8faa5f6a14fd1c6d0037999f  CVE-2019-13117.patch
+44d3bb5dda6965f48e3af96c77ffa5f1f2e3c191cf1f28ac1b7b3501420393b5628b12b99fe4008b5056384dfebfdcbbee7625f0644cfc27101424a051415da0  CVE-2019-13118.patch"
diff --git a/system/libxslt/CVE-2019-13117.patch b/system/libxslt/CVE-2019-13117.patch
new file mode 100644
index 000000000..78ebb9075
--- /dev/null
+++ b/system/libxslt/CVE-2019-13117.patch
@@ -0,0 +1,29 @@
+From c5eb6cf3aba0af048596106ed839b4ae17ecbcb1 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 27 Apr 2019 11:19:48 +0200
+Subject: [PATCH] Fix uninitialized read of xsl:number token
+
+Found by OSS-Fuzz.
+---
+ libxslt/numbers.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index 89e1f668..75c31eba 100644
+--- a/libxslt/numbers.c
++++ b/libxslt/numbers.c
+@@ -382,7 +382,10 @@ xsltNumberFormatTokenize(const xmlChar *format,
+ 		tokens->tokens[tokens->nTokens].token = val - 1;
+ 		ix += len;
+ 		val = xmlStringCurrentChar(NULL, format+ix, &len);
+-	    }
++	    } else {
++                tokens->tokens[tokens->nTokens].token = (xmlChar)'0';
++                tokens->tokens[tokens->nTokens].width = 1;
++            }
+ 	} else if ( (val == (xmlChar)'A') ||
+ 		    (val == (xmlChar)'a') ||
+ 		    (val == (xmlChar)'I') ||
+-- 
+2.21.0
+
diff --git a/system/libxslt/CVE-2019-13118.patch b/system/libxslt/CVE-2019-13118.patch
new file mode 100644
index 000000000..b377f4bd6
--- /dev/null
+++ b/system/libxslt/CVE-2019-13118.patch
@@ -0,0 +1,71 @@
+From 6ce8de69330783977dd14f6569419489875fb71b Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 3 Jun 2019 13:14:45 +0200
+Subject: [PATCH] Fix uninitialized read with UTF-8 grouping chars
+
+The character type in xsltFormatNumberConversion was too narrow and
+an invalid character/length combination could be passed to
+xsltNumberFormatDecimal, resulting in an uninitialized read.
+
+Found by OSS-Fuzz.
+---
+ libxslt/numbers.c         | 5 +++--
+ tests/docs/bug-222.xml    | 1 +
+ tests/general/bug-222.out | 2 ++
+ tests/general/bug-222.xsl | 6 ++++++
+ 4 files changed, 12 insertions(+), 2 deletions(-)
+ create mode 100644 tests/docs/bug-222.xml
+ create mode 100644 tests/general/bug-222.out
+ create mode 100644 tests/general/bug-222.xsl
+
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index f1ed8846..20b99d5a 100644
+--- a/libxslt/numbers.c
++++ b/libxslt/numbers.c
+@@ -1298,13 +1298,14 @@ OUTPUT_NUMBER:
+     number = floor((scale * number + 0.5)) / scale;
+     if ((self->grouping != NULL) &&
+         (self->grouping[0] != 0)) {
++        int gchar;
+ 
+ 	len = xmlStrlen(self->grouping);
+-	pchar = xsltGetUTF8Char(self->grouping, &len);
++	gchar = xsltGetUTF8Char(self->grouping, &len);
+ 	xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
+ 				format_info.integer_digits,
+ 				format_info.group,
+-				pchar, len);
++				gchar, len);
+     } else
+ 	xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
+ 				format_info.integer_digits,
+diff --git a/tests/docs/bug-222.xml b/tests/docs/bug-222.xml
+new file mode 100644
+index 00000000..69d62f2c
+--- /dev/null
++++ b/tests/docs/bug-222.xml
+@@ -0,0 +1 @@
++<doc/>
+diff --git a/tests/general/bug-222.out b/tests/general/bug-222.out
+new file mode 100644
+index 00000000..e3139698
+--- /dev/null
++++ b/tests/general/bug-222.out
+@@ -0,0 +1,2 @@
++<?xml version="1.0"?>
++1⠢0
+diff --git a/tests/general/bug-222.xsl b/tests/general/bug-222.xsl
+new file mode 100644
+index 00000000..e32dc473
+--- /dev/null
++++ b/tests/general/bug-222.xsl
+@@ -0,0 +1,6 @@
++<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
++  <xsl:decimal-format name="f" grouping-separator="⠢"/>
++  <xsl:template match="/">
++    <xsl:value-of select="format-number(10,'#⠢0','f')"/>
++  </xsl:template>
++</xsl:stylesheet>
+-- 
+2.21.0
+
-- 
cgit v1.2.3-60-g2f50