From f77c53cff150d99fd0e27de670fa87f11246310d Mon Sep 17 00:00:00 2001 From: Jan Pavlinec Date: Wed, 24 Jul 2019 15:33:48 +0200 Subject: [PATCH] libxslt: patch security issues Fixes: CVE-2019-13117 CVE-2019-13118 Signed-off-by: Jan Pavlinec --- libs/libxslt/Makefile | 2 +- .../patches/101-fix-cve-2019-13117.patch | 29 ++++++++ .../patches/102-fix-cve-2019-13118.patch | 71 +++++++++++++++++++ 3 files changed, 101 insertions(+), 1 deletion(-) create mode 100644 libs/libxslt/patches/101-fix-cve-2019-13117.patch create mode 100644 libs/libxslt/patches/102-fix-cve-2019-13118.patch diff --git a/libs/libxslt/Makefile b/libs/libxslt/Makefile index 795bf2a56..b31989e4a 100644 --- a/libs/libxslt/Makefile +++ b/libs/libxslt/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=libxslt PKG_VERSION:=1.1.33 -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:= \ diff --git a/libs/libxslt/patches/101-fix-cve-2019-13117.patch b/libs/libxslt/patches/101-fix-cve-2019-13117.patch new file mode 100644 index 000000000..78ebb9075 --- /dev/null +++ b/libs/libxslt/patches/101-fix-cve-2019-13117.patch @@ -0,0 +1,29 @@ +From c5eb6cf3aba0af048596106ed839b4ae17ecbcb1 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat, 27 Apr 2019 11:19:48 +0200 +Subject: [PATCH] Fix uninitialized read of xsl:number token + +Found by OSS-Fuzz. +--- + libxslt/numbers.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/libxslt/numbers.c b/libxslt/numbers.c +index 89e1f668..75c31eba 100644 +--- a/libxslt/numbers.c ++++ b/libxslt/numbers.c +@@ -382,7 +382,10 @@ xsltNumberFormatTokenize(const xmlChar *format, + tokens->tokens[tokens->nTokens].token = val - 1; + ix += len; + val = xmlStringCurrentChar(NULL, format+ix, &len); +- } ++ } else { ++ tokens->tokens[tokens->nTokens].token = (xmlChar)'0'; ++ tokens->tokens[tokens->nTokens].width = 1; ++ } + } else if ( (val == (xmlChar)'A') || + (val == (xmlChar)'a') || + (val == (xmlChar)'I') || +-- +2.21.0 + diff --git a/libs/libxslt/patches/102-fix-cve-2019-13118.patch b/libs/libxslt/patches/102-fix-cve-2019-13118.patch new file mode 100644 index 000000000..b377f4bd6 --- /dev/null +++ b/libs/libxslt/patches/102-fix-cve-2019-13118.patch @@ -0,0 +1,71 @@ +From 6ce8de69330783977dd14f6569419489875fb71b Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 3 Jun 2019 13:14:45 +0200 +Subject: [PATCH] Fix uninitialized read with UTF-8 grouping chars + +The character type in xsltFormatNumberConversion was too narrow and +an invalid character/length combination could be passed to +xsltNumberFormatDecimal, resulting in an uninitialized read. + +Found by OSS-Fuzz. +--- + libxslt/numbers.c | 5 +++-- + tests/docs/bug-222.xml | 1 + + tests/general/bug-222.out | 2 ++ + tests/general/bug-222.xsl | 6 ++++++ + 4 files changed, 12 insertions(+), 2 deletions(-) + create mode 100644 tests/docs/bug-222.xml + create mode 100644 tests/general/bug-222.out + create mode 100644 tests/general/bug-222.xsl + +diff --git a/libxslt/numbers.c b/libxslt/numbers.c +index f1ed8846..20b99d5a 100644 +--- a/libxslt/numbers.c ++++ b/libxslt/numbers.c +@@ -1298,13 +1298,14 @@ OUTPUT_NUMBER: + number = floor((scale * number + 0.5)) / scale; + if ((self->grouping != NULL) && + (self->grouping[0] != 0)) { ++ int gchar; + + len = xmlStrlen(self->grouping); +- pchar = xsltGetUTF8Char(self->grouping, &len); ++ gchar = xsltGetUTF8Char(self->grouping, &len); + xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0], + format_info.integer_digits, + format_info.group, +- pchar, len); ++ gchar, len); + } else + xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0], + format_info.integer_digits, +diff --git a/tests/docs/bug-222.xml b/tests/docs/bug-222.xml +new file mode 100644 +index 00000000..69d62f2c +--- /dev/null ++++ b/tests/docs/bug-222.xml +@@ -0,0 +1 @@ ++ +diff --git a/tests/general/bug-222.out b/tests/general/bug-222.out +new file mode 100644 +index 00000000..e3139698 +--- /dev/null ++++ b/tests/general/bug-222.out +@@ -0,0 +1,2 @@ ++ ++1⠢0 +diff --git a/tests/general/bug-222.xsl b/tests/general/bug-222.xsl +new file mode 100644 +index 00000000..e32dc473 +--- /dev/null ++++ b/tests/general/bug-222.xsl +@@ -0,0 +1,6 @@ ++ ++ ++ ++ ++ ++ +-- +2.21.0 +