libxslt: fix CVE-2019-13117 CVE-2019-13118

(From OE-Core rev: 7dc3048fec88dd62ef49ef16517b7382ab7cf2a5) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Anuj Mittal <anuj.mittal@intel.com> 2019-07-10 10:37:24 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-07-11 09:32:50 +0100
commit: 78e9bc140e2c5d8a37e53eeb849d8a5aa061a410 (patch)
tree: 97aa8747cc7f3e619c84dea241928ac4738ad9fc /meta/recipes-support/libxslt/files
parent: 3c5f407923ff288a93a349074bfbf3f764d3e264 (diff)
download: poky-78e9bc140e2c5d8a37e53eeb849d8a5aa061a410.tar.gz
2 files changed, 109 insertions, 0 deletions
diff --git a/meta/recipes-support/libxslt/files/CVE-2019-13117.patch b/meta/recipes-support/libxslt/files/CVE-2019-13117.patch
new file mode 100644
index 0000000000..ef3f2709f7
--- /dev/null
+++ b/meta/recipes-support/libxslt/files/CVE-2019-13117.patch
@@ -0,0 +1,33 @@
+From c5eb6cf3aba0af048596106ed839b4ae17ecbcb1 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 27 Apr 2019 11:19:48 +0200
+Subject: [PATCH] Fix uninitialized read of xsl:number token
+Found by OSS-Fuzz.
+CVE: CVE-2019-13117
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ libxslt/numbers.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index 89e1f668..75c31eba 100644
+--- a/libxslt/numbers.c
+++ b/libxslt/numbers.c
+@@ -382,7 +382,10 @@ xsltNumberFormatTokenize(const xmlChar *format,
+                tokens->tokens[tokens->nTokens].token = val - 1;
+                ix += len;
+                val = xmlStringCurrentChar(NULL, format+ix, &len);
+-           }
+           } else {
+                tokens->tokens[tokens->nTokens].token = (xmlChar)'0';
+                tokens->tokens[tokens->nTokens].width = 1;
+            }
+        } else if ( (val == (xmlChar)'A') ||
+                    (val == (xmlChar)'a') ||
+                    (val == (xmlChar)'I') ||
+-- 
+2.21.0
diff --git a/meta/recipes-support/libxslt/files/CVE-2019-13118.patch b/meta/recipes-support/libxslt/files/CVE-2019-13118.patch
new file mode 100644
index 0000000000..595e6c2f33
--- /dev/null
+++ b/meta/recipes-support/libxslt/files/CVE-2019-13118.patch
@@ -0,0 +1,76 @@
+From 6ce8de69330783977dd14f6569419489875fb71b Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 3 Jun 2019 13:14:45 +0200
+Subject: [PATCH] Fix uninitialized read with UTF-8 grouping chars
+The character type in xsltFormatNumberConversion was too narrow and
+an invalid character/length combination could be passed to
+xsltNumberFormatDecimal, resulting in an uninitialized read.
+Found by OSS-Fuzz.
+CVE: CVE-2019-13118
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ libxslt/numbers.c         | 5 +++--
+ tests/docs/bug-222.xml    | 1 +
+ tests/general/bug-222.out | 2 ++
+ tests/general/bug-222.xsl | 6 ++++++
+ 4 files changed, 12 insertions(+), 2 deletions(-)
+ create mode 100644 tests/docs/bug-222.xml
+ create mode 100644 tests/general/bug-222.out
+ create mode 100644 tests/general/bug-222.xsl
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index f1ed8846..20b99d5a 100644
+--- a/libxslt/numbers.c
+++ b/libxslt/numbers.c
+@@ -1298,13 +1298,14 @@ OUTPUT_NUMBER:
+     number = floor((scale * number + 0.5)) / scale;
+     if ((self->grouping != NULL) &&
+         (self->grouping[0] != 0)) {
+        int gchar;
+ 
+        len = xmlStrlen(self->grouping);
+-       pchar = xsltGetUTF8Char(self->grouping, &len);
+       gchar = xsltGetUTF8Char(self->grouping, &len);
+        xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
+                                format_info.integer_digits,
+                                format_info.group,
+-                               pchar, len);
+                               gchar, len);
+     } else
+        xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
+                                format_info.integer_digits,
+diff --git a/tests/docs/bug-222.xml b/tests/docs/bug-222.xml
+new file mode 100644
+index 00000000..69d62f2c
+--- /dev/null
+++ b/tests/docs/bug-222.xml
+@@ -0,0 +1 @@
+<doc/>
+diff --git a/tests/general/bug-222.out b/tests/general/bug-222.out
+new file mode 100644
+index 00000000..e3139698
+--- /dev/null
+++ b/tests/general/bug-222.out
+@@ -0,0 +1,2 @@
+<?xml version="1.0"?>
+1⠢0
+diff --git a/tests/general/bug-222.xsl b/tests/general/bug-222.xsl
+new file mode 100644
+index 00000000..e32dc473
+--- /dev/null
+++ b/tests/general/bug-222.xsl
+@@ -0,0 +1,6 @@
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
+  <xsl:decimal-format name="f" grouping-separator="⠢"/>
+  <xsl:template match="/">
+    <xsl:value-of select="format-number(10,'#⠢0','f')"/>
+  </xsl:template>
+</xsl:stylesheet>
+-- 
+2.21.0
author	Anuj Mittal <anuj.mittal@intel.com>	2019-07-10 10:37:24 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-11 09:32:50 +0100
commit	78e9bc140e2c5d8a37e53eeb849d8a5aa061a410 (patch)
tree	97aa8747cc7f3e619c84dea241928ac4738ad9fc /meta/recipes-support/libxslt/files
parent	3c5f407923ff288a93a349074bfbf3f764d3e264 (diff)
download	poky-78e9bc140e2c5d8a37e53eeb849d8a5aa061a410.tar.gz

diff --git a/meta/recipes-support/libxslt/files/CVE-2019-13117.patch b/meta/recipes-support/libxslt/files/CVE-2019-13117.patch new file mode 100644 index 0000000000..ef3f2709f7 --- /dev/null +++ b/meta/recipes-support/libxslt/files/CVE-2019-13117.patch
@@ -0,0 +1,33 @@
	1	From c5eb6cf3aba0af048596106ed839b4ae17ecbcb1 Mon Sep 17 00:00:00 2001
	2	From: Nick Wellnhofer <wellnhofer@aevum.de>
	3	Date: Sat, 27 Apr 2019 11:19:48 +0200
	4	Subject: [PATCH] Fix uninitialized read of xsl:number token
	5
	6	Found by OSS-Fuzz.
	7
	8	CVE: CVE-2019-13117
	9	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1]
	10	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
	11	---
	12	libxslt/numbers.c \| 5 ++++-
	13	1 file changed, 4 insertions(+), 1 deletion(-)
	14
	15	diff --git a/libxslt/numbers.c b/libxslt/numbers.c
	16	index 89e1f668..75c31eba 100644
	17	--- a/libxslt/numbers.c
	18	+++ b/libxslt/numbers.c
	19	@@ -382,7 +382,10 @@ xsltNumberFormatTokenize(const xmlChar *format,
	20	tokens->tokens[tokens->nTokens].token = val - 1;
	21	ix += len;
	22	val = xmlStringCurrentChar(NULL, format+ix, &len);
	23	- }
	24	+ } else {
	25	+ tokens->tokens[tokens->nTokens].token = (xmlChar)'0';
	26	+ tokens->tokens[tokens->nTokens].width = 1;
	27	+ }
	28	} else if ( (val == (xmlChar)'A') \|\|
	29	(val == (xmlChar)'a') \|\|
	30	(val == (xmlChar)'I') \|\|
	31	--
	32	2.21.0
	33


diff --git a/meta/recipes-support/libxslt/files/CVE-2019-13118.patch b/meta/recipes-support/libxslt/files/CVE-2019-13118.patch new file mode 100644 index 0000000000..595e6c2f33 --- /dev/null +++ b/meta/recipes-support/libxslt/files/CVE-2019-13118.patch
@@ -0,0 +1,76 @@
	1	From 6ce8de69330783977dd14f6569419489875fb71b Mon Sep 17 00:00:00 2001
	2	From: Nick Wellnhofer <wellnhofer@aevum.de>
	3	Date: Mon, 3 Jun 2019 13:14:45 +0200
	4	Subject: [PATCH] Fix uninitialized read with UTF-8 grouping chars
	5
	6	The character type in xsltFormatNumberConversion was too narrow and
	7	an invalid character/length combination could be passed to
	8	xsltNumberFormatDecimal, resulting in an uninitialized read.
	9
	10	Found by OSS-Fuzz.
	11
	12	CVE: CVE-2019-13118
	13	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b]
	14	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
	15
	16	---
	17	libxslt/numbers.c \| 5 +++--
	18	tests/docs/bug-222.xml \| 1 +
	19	tests/general/bug-222.out \| 2 ++
	20	tests/general/bug-222.xsl \| 6 ++++++
	21	4 files changed, 12 insertions(+), 2 deletions(-)
	22	create mode 100644 tests/docs/bug-222.xml
	23	create mode 100644 tests/general/bug-222.out
	24	create mode 100644 tests/general/bug-222.xsl
	25
	26	diff --git a/libxslt/numbers.c b/libxslt/numbers.c
	27	index f1ed8846..20b99d5a 100644
	28	--- a/libxslt/numbers.c
	29	+++ b/libxslt/numbers.c
	30	@@ -1298,13 +1298,14 @@ OUTPUT_NUMBER:
	31	number = floor((scale * number + 0.5)) / scale;
	32	if ((self->grouping != NULL) &&
	33	(self->grouping[0] != 0)) {
	34	+ int gchar;
	35
	36	len = xmlStrlen(self->grouping);
	37	- pchar = xsltGetUTF8Char(self->grouping, &len);
	38	+ gchar = xsltGetUTF8Char(self->grouping, &len);
	39	xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
	40	format_info.integer_digits,
	41	format_info.group,
	42	- pchar, len);
	43	+ gchar, len);
	44	} else
	45	xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
	46	format_info.integer_digits,
	47	diff --git a/tests/docs/bug-222.xml b/tests/docs/bug-222.xml
	48	new file mode 100644
	49	index 00000000..69d62f2c
	50	--- /dev/null
	51	+++ b/tests/docs/bug-222.xml
	52	@@ -0,0 +1 @@
	53	+<doc/>
	54	diff --git a/tests/general/bug-222.out b/tests/general/bug-222.out
	55	new file mode 100644
	56	index 00000000..e3139698
	57	--- /dev/null
	58	+++ b/tests/general/bug-222.out
	59	@@ -0,0 +1,2 @@
	60	+<?xml version="1.0"?>
	61	+1⠢0
	62	diff --git a/tests/general/bug-222.xsl b/tests/general/bug-222.xsl
	63	new file mode 100644
	64	index 00000000..e32dc473
	65	--- /dev/null
	66	+++ b/tests/general/bug-222.xsl
	67	@@ -0,0 +1,6 @@
	68	+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
	69	+ <xsl:decimal-format name="f" grouping-separator="⠢"/>
	70	+ <xsl:template match="/">
	71	+ <xsl:value-of select="format-number(10,'#⠢0','f')"/>
	72	+ </xsl:template>
	73	+</xsl:stylesheet>
	74	--
	75	2.21.0
	76