Browse Source

Merge pull request #9561 from ja-pa/libxslt-security-fix

libxslt: patch security issues
lilik-openwrt-22.03
Jiri Slachta 5 years ago
committed by GitHub
parent
commit
262f689990
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 101 additions and 1 deletions
  1. +1
    -1
      libs/libxslt/Makefile
  2. +29
    -0
      libs/libxslt/patches/101-fix-cve-2019-13117.patch
  3. +71
    -0
      libs/libxslt/patches/102-fix-cve-2019-13118.patch

+ 1
- 1
libs/libxslt/Makefile View File

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=libxslt
PKG_VERSION:=1.1.33
PKG_RELEASE:=2
PKG_RELEASE:=3
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:= \


+ 29
- 0
libs/libxslt/patches/101-fix-cve-2019-13117.patch View File

@ -0,0 +1,29 @@
From c5eb6cf3aba0af048596106ed839b4ae17ecbcb1 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sat, 27 Apr 2019 11:19:48 +0200
Subject: [PATCH] Fix uninitialized read of xsl:number token
Found by OSS-Fuzz.
---
libxslt/numbers.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/libxslt/numbers.c b/libxslt/numbers.c
index 89e1f668..75c31eba 100644
--- a/libxslt/numbers.c
+++ b/libxslt/numbers.c
@@ -382,7 +382,10 @@ xsltNumberFormatTokenize(const xmlChar *format,
tokens->tokens[tokens->nTokens].token = val - 1;
ix += len;
val = xmlStringCurrentChar(NULL, format+ix, &len);
- }
+ } else {
+ tokens->tokens[tokens->nTokens].token = (xmlChar)'0';
+ tokens->tokens[tokens->nTokens].width = 1;
+ }
} else if ( (val == (xmlChar)'A') ||
(val == (xmlChar)'a') ||
(val == (xmlChar)'I') ||
--
2.21.0

+ 71
- 0
libs/libxslt/patches/102-fix-cve-2019-13118.patch View File

@ -0,0 +1,71 @@
From 6ce8de69330783977dd14f6569419489875fb71b Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Mon, 3 Jun 2019 13:14:45 +0200
Subject: [PATCH] Fix uninitialized read with UTF-8 grouping chars
The character type in xsltFormatNumberConversion was too narrow and
an invalid character/length combination could be passed to
xsltNumberFormatDecimal, resulting in an uninitialized read.
Found by OSS-Fuzz.
---
libxslt/numbers.c | 5 +++--
tests/docs/bug-222.xml | 1 +
tests/general/bug-222.out | 2 ++
tests/general/bug-222.xsl | 6 ++++++
4 files changed, 12 insertions(+), 2 deletions(-)
create mode 100644 tests/docs/bug-222.xml
create mode 100644 tests/general/bug-222.out
create mode 100644 tests/general/bug-222.xsl
diff --git a/libxslt/numbers.c b/libxslt/numbers.c
index f1ed8846..20b99d5a 100644
--- a/libxslt/numbers.c
+++ b/libxslt/numbers.c
@@ -1298,13 +1298,14 @@ OUTPUT_NUMBER:
number = floor((scale * number + 0.5)) / scale;
if ((self->grouping != NULL) &&
(self->grouping[0] != 0)) {
+ int gchar;
len = xmlStrlen(self->grouping);
- pchar = xsltGetUTF8Char(self->grouping, &len);
+ gchar = xsltGetUTF8Char(self->grouping, &len);
xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
format_info.integer_digits,
format_info.group,
- pchar, len);
+ gchar, len);
} else
xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
format_info.integer_digits,
diff --git a/tests/docs/bug-222.xml b/tests/docs/bug-222.xml
new file mode 100644
index 00000000..69d62f2c
--- /dev/null
+++ b/tests/docs/bug-222.xml
@@ -0,0 +1 @@
+<doc/>
diff --git a/tests/general/bug-222.out b/tests/general/bug-222.out
new file mode 100644
index 00000000..e3139698
--- /dev/null
+++ b/tests/general/bug-222.out
@@ -0,0 +1,2 @@
+<?xml version="1.0"?>
+1⠢0
diff --git a/tests/general/bug-222.xsl b/tests/general/bug-222.xsl
new file mode 100644
index 00000000..e32dc473
--- /dev/null
+++ b/tests/general/bug-222.xsl
@@ -0,0 +1,6 @@
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
+ <xsl:decimal-format name="f" grouping-separator="⠢"/>
+ <xsl:template match="/">
+ <xsl:value-of select="format-number(10,'#⠢0','f')"/>
+ </xsl:template>
+</xsl:stylesheet>
--
2.21.0

Loading…
Cancel
Save