libxslt: Cve fix CVE-2019-11068

(From OE-Core rev: c9c3fabddb4e1779ef330f2073f85dce83cb460b) Signed-off-by: Muminul Islam <muislam@microsoft.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Muminul Islam <misla011@fiu.edu> 2019-09-12 21:23:05 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-10-08 22:52:28 +0100
commit: 94ac57739c90e7f77c333de87b6c9f33cf227dcb (patch)
tree: fa1992d376ae48126cb09361ad5028c7d1d28ec6
parent: 26ab554fd5223ea870819c21ec9619d09a2ae850 (diff)
download: poky-94ac57739c90e7f77c333de87b6c9f33cf227dcb.tar.gz
2 files changed, 129 insertions, 0 deletions
diff --git a/meta/recipes-support/libxslt/libxslt/CVE-2019-11068.patch b/meta/recipes-support/libxslt/libxslt/CVE-2019-11068.patch
new file mode 100644
index 0000000000..83ca8a3c00
--- /dev/null
+++ b/meta/recipes-support/libxslt/libxslt/CVE-2019-11068.patch
@@ -0,0 +1,128 @@
+From aed812d8dbbb6d1337312652aa72aa7f44d2b07d Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sun, 24 Mar 2019 09:51:39 +0100
+Subject: [PATCH] Fix security framework bypass
+xsltCheckRead and xsltCheckWrite return -1 in case of error but callers
+don't check for this condition and allow access. With a specially
+crafted URL, xsltCheckRead could be tricked into returning an error
+because of a supposedly invalid URL that would still be loaded
+succesfully later on.
+Fixes #12.
+Thanks to Felix Wilhelm for the report.
+Signed-off-by: Muminul Islam <muminul.islam@microsoft.com>
+CVE: CVE-2019-11068
+Upstream-Status: Backport
+https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6
+---
+ libxslt/documents.c | 18 ++++++++++--------
+ libxslt/imports.c   |  9 +++++----
+ libxslt/transform.c |  9 +++++----
+ libxslt/xslt.c      |  9 +++++----
+ 4 files changed, 25 insertions(+), 20 deletions(-)
+diff --git a/libxslt/documents.c b/libxslt/documents.c
+index 3f3a7312..4aad11bb 100644
+--- a/libxslt/documents.c
+++ b/libxslt/documents.c
+@@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) {
+        int res;
+ 
+        res = xsltCheckRead(ctxt->sec, ctxt, URI);
+-       if (res == 0) {
+-           xsltTransformError(ctxt, NULL, NULL,
+-                "xsltLoadDocument: read rights for %s denied\n",
+-                            URI);
+       if (res <= 0) {
+            if (res == 0)
+                xsltTransformError(ctxt, NULL, NULL,
+                     "xsltLoadDocument: read rights for %s denied\n",
+                                 URI);
+            return(NULL);
+        }
+     }
+@@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) {
+        int res;
+ 
+        res = xsltCheckRead(sec, NULL, URI);
+-       if (res == 0) {
+-           xsltTransformError(NULL, NULL, NULL,
+-                "xsltLoadStyleDocument: read rights for %s denied\n",
+-                            URI);
+       if (res <= 0) {
+            if (res == 0)
+                xsltTransformError(NULL, NULL, NULL,
+                     "xsltLoadStyleDocument: read rights for %s denied\n",
+                                 URI);
+            return(NULL);
+        }
+     }
+diff --git a/libxslt/imports.c b/libxslt/imports.c
+index 7262aab9..b62e0877 100644
+--- a/libxslt/imports.c
+++ b/libxslt/imports.c
+@@ -131,10 +131,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) {
+        int secres;
+ 
+        secres = xsltCheckRead(sec, NULL, URI);
+-       if (secres == 0) {
+-           xsltTransformError(NULL, NULL, NULL,
+-                "xsl:import: read rights for %s denied\n",
+-                            URI);
+       if (secres <= 0) {
+            if (secres == 0)
+                xsltTransformError(NULL, NULL, NULL,
+                     "xsl:import: read rights for %s denied\n",
+                                 URI);
+            goto error;
+        }
+     }
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index 560f43ca..46eef553 100644
+--- a/libxslt/transform.c
+++ b/libxslt/transform.c
+@@ -3485,10 +3485,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node,
+      */
+     if (ctxt->sec != NULL) {
+        ret = xsltCheckWrite(ctxt->sec, ctxt, filename);
+-       if (ret == 0) {
+-           xsltTransformError(ctxt, NULL, inst,
+-                "xsltDocumentElem: write rights for %s denied\n",
+-                            filename);
+       if (ret <= 0) {
+            if (ret == 0)
+                xsltTransformError(ctxt, NULL, inst,
+                     "xsltDocumentElem: write rights for %s denied\n",
+                                 filename);
+            xmlFree(URL);
+            xmlFree(filename);
+            return;
+diff --git a/libxslt/xslt.c b/libxslt/xslt.c
+index 54a39de9..359913e4 100644
+--- a/libxslt/xslt.c
+++ b/libxslt/xslt.c
+@@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) {
+        int res;
+ 
+        res = xsltCheckRead(sec, NULL, filename);
+-       if (res == 0) {
+-           xsltTransformError(NULL, NULL, NULL,
+-                "xsltParseStylesheetFile: read rights for %s denied\n",
+-                            filename);
+       if (res <= 0) {
+            if (res == 0)
+                xsltTransformError(NULL, NULL, NULL,
+                     "xsltParseStylesheetFile: read rights for %s denied\n",
+                                 filename);
+            return(NULL);
+        }
+     }
+-- 
+2.23.0
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.32.bb b/meta/recipes-support/libxslt/libxslt_1.1.32.bb
index f0fa5e723f..df3f97aa12 100644
--- a/meta/recipes-support/libxslt/libxslt_1.1.32.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.32.bb
@@ -10,6 +10,7 @@ DEPENDS = "libxml2"
 SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz \
           file://fix-rvts-handling.patch \
+           file://CVE-2019-11068.patch \
           "
 SRC_URI[md5sum] = "1fc72f98e98bf4443f1651165f3aa146"
author	Muminul Islam <misla011@fiu.edu>	2019-09-12 21:23:05 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-10-08 22:52:28 +0100
commit	94ac57739c90e7f77c333de87b6c9f33cf227dcb (patch)
tree	fa1992d376ae48126cb09361ad5028c7d1d28ec6
parent	26ab554fd5223ea870819c21ec9619d09a2ae850 (diff)
download	poky-94ac57739c90e7f77c333de87b6c9f33cf227dcb.tar.gz

diff --git a/meta/recipes-support/libxslt/libxslt/CVE-2019-11068.patch b/meta/recipes-support/libxslt/libxslt/CVE-2019-11068.patch new file mode 100644 index 0000000000..83ca8a3c00 --- /dev/null +++ b/meta/recipes-support/libxslt/libxslt/CVE-2019-11068.patch
@@ -0,0 +1,128 @@
		1	From aed812d8dbbb6d1337312652aa72aa7f44d2b07d Mon Sep 17 00:00:00 2001
		2	From: Nick Wellnhofer <wellnhofer@aevum.de>
		3	Date: Sun, 24 Mar 2019 09:51:39 +0100
		4	Subject: [PATCH] Fix security framework bypass
		5
		6	xsltCheckRead and xsltCheckWrite return -1 in case of error but callers
		7	don't check for this condition and allow access. With a specially
		8	crafted URL, xsltCheckRead could be tricked into returning an error
		9	because of a supposedly invalid URL that would still be loaded
		10	succesfully later on.
		11
		12	Fixes #12.
		13
		14	Thanks to Felix Wilhelm for the report.
		15
		16	Signed-off-by: Muminul Islam <muminul.islam@microsoft.com>
		17
		18	CVE: CVE-2019-11068
		19
		20	Upstream-Status: Backport
		21
		22	https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6
		23	---
		24	libxslt/documents.c \| 18 ++++++++++--------
		25	libxslt/imports.c \| 9 +++++----
		26	libxslt/transform.c \| 9 +++++----
		27	libxslt/xslt.c \| 9 +++++----
		28	4 files changed, 25 insertions(+), 20 deletions(-)
		29
		30	diff --git a/libxslt/documents.c b/libxslt/documents.c
		31	index 3f3a7312..4aad11bb 100644
		32	--- a/libxslt/documents.c
		33	+++ b/libxslt/documents.c
		34	@@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) {
		35	int res;
		36
		37	res = xsltCheckRead(ctxt->sec, ctxt, URI);
		38	- if (res == 0) {
		39	- xsltTransformError(ctxt, NULL, NULL,
		40	- "xsltLoadDocument: read rights for %s denied\n",
		41	- URI);
		42	+ if (res <= 0) {
		43	+ if (res == 0)
		44	+ xsltTransformError(ctxt, NULL, NULL,
		45	+ "xsltLoadDocument: read rights for %s denied\n",
		46	+ URI);
		47	return(NULL);
		48	}
		49	}
		50	@@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) {
		51	int res;
		52
		53	res = xsltCheckRead(sec, NULL, URI);
		54	- if (res == 0) {
		55	- xsltTransformError(NULL, NULL, NULL,
		56	- "xsltLoadStyleDocument: read rights for %s denied\n",
		57	- URI);
		58	+ if (res <= 0) {
		59	+ if (res == 0)
		60	+ xsltTransformError(NULL, NULL, NULL,
		61	+ "xsltLoadStyleDocument: read rights for %s denied\n",
		62	+ URI);
		63	return(NULL);
		64	}
		65	}
		66	diff --git a/libxslt/imports.c b/libxslt/imports.c
		67	index 7262aab9..b62e0877 100644
		68	--- a/libxslt/imports.c
		69	+++ b/libxslt/imports.c
		70	@@ -131,10 +131,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) {
		71	int secres;
		72
		73	secres = xsltCheckRead(sec, NULL, URI);
		74	- if (secres == 0) {
		75	- xsltTransformError(NULL, NULL, NULL,
		76	- "xsl:import: read rights for %s denied\n",
		77	- URI);
		78	+ if (secres <= 0) {
		79	+ if (secres == 0)
		80	+ xsltTransformError(NULL, NULL, NULL,
		81	+ "xsl:import: read rights for %s denied\n",
		82	+ URI);
		83	goto error;
		84	}
		85	}
		86	diff --git a/libxslt/transform.c b/libxslt/transform.c
		87	index 560f43ca..46eef553 100644
		88	--- a/libxslt/transform.c
		89	+++ b/libxslt/transform.c
		90	@@ -3485,10 +3485,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node,
		91	*/
		92	if (ctxt->sec != NULL) {
		93	ret = xsltCheckWrite(ctxt->sec, ctxt, filename);
		94	- if (ret == 0) {
		95	- xsltTransformError(ctxt, NULL, inst,
		96	- "xsltDocumentElem: write rights for %s denied\n",
		97	- filename);
		98	+ if (ret <= 0) {
		99	+ if (ret == 0)
		100	+ xsltTransformError(ctxt, NULL, inst,
		101	+ "xsltDocumentElem: write rights for %s denied\n",
		102	+ filename);
		103	xmlFree(URL);
		104	xmlFree(filename);
		105	return;
		106	diff --git a/libxslt/xslt.c b/libxslt/xslt.c
		107	index 54a39de9..359913e4 100644
		108	--- a/libxslt/xslt.c
		109	+++ b/libxslt/xslt.c
		110	@@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) {
		111	int res;
		112
		113	res = xsltCheckRead(sec, NULL, filename);
		114	- if (res == 0) {
		115	- xsltTransformError(NULL, NULL, NULL,
		116	- "xsltParseStylesheetFile: read rights for %s denied\n",
		117	- filename);
		118	+ if (res <= 0) {
		119	+ if (res == 0)
		120	+ xsltTransformError(NULL, NULL, NULL,
		121	+ "xsltParseStylesheetFile: read rights for %s denied\n",
		122	+ filename);
		123	return(NULL);
		124	}
		125	}
		126	--
		127	2.23.0
		128


diff --git a/meta/recipes-support/libxslt/libxslt_1.1.32.bb b/meta/recipes-support/libxslt/libxslt_1.1.32.bb index f0fa5e723f..df3f97aa12 100644 --- a/meta/recipes-support/libxslt/libxslt_1.1.32.bb +++ b/meta/recipes-support/libxslt/libxslt_1.1.32.bb
@@ -10,6 +10,7 @@ DEPENDS = "libxml2"
10		10
11	SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz \	11	SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz \
12	file://fix-rvts-handling.patch \	12	file://fix-rvts-handling.patch \
		13	file://CVE-2019-11068.patch \
13	"	14	"
14		15
15	SRC_URI[md5sum] = "1fc72f98e98bf4443f1651165f3aa146"	16	SRC_URI[md5sum] = "1fc72f98e98bf4443f1651165f3aa146"