libxslt: CVE-2015-7995

This is a is being give a High rating so please consider it for all 1.1.28 versions. A type confusion error within the libxslt "xsltStylePreCompute()" function in preproc.c can lead to a DoS. Confirmed in version 1.1.28, other versions may also be affected. (From OE-Core rev: 0f89bbab6588a1171259801fa879516740030acb) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2015-10-29 16:22:41 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2015-11-16 11:39:35 +0000
commit: bbd6d07c98149201a51086da9a069d207c4777d5 (patch)
tree: 86b3cc2f263e110753ecff03858501c2da922bed /meta/recipes-support/libxslt
parent: a0d2ea9a2a97f1a1e6b25f7ddad6ec00558916d1 (diff)
download: poky-bbd6d07c98149201a51086da9a069d207c4777d5.tar.gz
2 files changed, 35 insertions, 1 deletions
diff --git a/meta/recipes-support/libxslt/libxslt/CVE-2015-7995.patch b/meta/recipes-support/libxslt/libxslt/CVE-2015-7995.patch
new file mode 100644
index 0000000000..e4d09c2ac7
--- /dev/null
+++ b/meta/recipes-support/libxslt/libxslt/CVE-2015-7995.patch
@@ -0,0 +1,33 @@
+From 7ca19df892ca22d9314e95d59ce2abdeff46b617 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Thu, 29 Oct 2015 19:33:23 +0800
+Subject: Fix for type confusion in preprocessing attributes
+CVE-2015-7995 http://www.openwall.com/lists/oss-security/2015/10/27/10
+We need to check that the parent node is an element before dereferencing
+its namespace
+Upstream-Status: Backport
+https://git.gnome.org/browse/libxslt/commit/?id=7ca19df892ca22d9314e95d59ce2abdeff46b617
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ libxslt/preproc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+Index: libxslt-1.1.28/libxslt/preproc.c
+===================================================================
+--- libxslt-1.1.28.orig/libxslt/preproc.c
+++ libxslt-1.1.28/libxslt/preproc.c
+@@ -2245,7 +2245,8 @@ xsltStylePreCompute(xsltStylesheetPtr st
+        } else if (IS_XSLT_NAME(inst, "attribute")) {
+            xmlNodePtr parent = inst->parent;
+ 
+-           if ((parent == NULL) || (parent->ns == NULL) ||
+           if ((parent == NULL) ||
+               (parent->type != XML_ELEMENT_NODE) || (parent->ns == NULL) ||
+                ((parent->ns != inst->ns) &&
+                 (!xmlStrEqual(parent->ns->href, inst->ns->href))) ||
+                (!xmlStrEqual(parent->name, BAD_CAST "attribute-set"))) {
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.28.bb b/meta/recipes-support/libxslt/libxslt_1.1.28.bb
index 166bcd86e7..87fabecda0 100644
--- a/meta/recipes-support/libxslt/libxslt_1.1.28.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.28.bb
@@ -10,7 +10,8 @@ DEPENDS = "libxml2"
 SRC_URI = "ftp://xmlsoft.org/libxslt//libxslt-${PV}.tar.gz \
           file://pkgconfig_fix.patch \
-           file://pkgconfig.patch"
+           file://pkgconfig.patch \
+           file://CVE-2015-7995.patch"
 SRC_URI[md5sum] = "9667bf6f9310b957254fdcf6596600b7"
 SRC_URI[sha256sum] = "5fc7151a57b89c03d7b825df5a0fae0a8d5f05674c0e7cf2937ecec4d54a028c"
author	Armin Kuster <akuster@mvista.com>	2015-10-29 16:22:41 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2015-11-16 11:39:35 +0000
commit	bbd6d07c98149201a51086da9a069d207c4777d5 (patch)
tree	86b3cc2f263e110753ecff03858501c2da922bed /meta/recipes-support/libxslt
parent	a0d2ea9a2a97f1a1e6b25f7ddad6ec00558916d1 (diff)
download	poky-bbd6d07c98149201a51086da9a069d207c4777d5.tar.gz

diff --git a/meta/recipes-support/libxslt/libxslt/CVE-2015-7995.patch b/meta/recipes-support/libxslt/libxslt/CVE-2015-7995.patch new file mode 100644 index 0000000000..e4d09c2ac7 --- /dev/null +++ b/meta/recipes-support/libxslt/libxslt/CVE-2015-7995.patch
@@ -0,0 +1,33 @@
		1	From 7ca19df892ca22d9314e95d59ce2abdeff46b617 Mon Sep 17 00:00:00 2001
		2	From: Daniel Veillard <veillard@redhat.com>
		3	Date: Thu, 29 Oct 2015 19:33:23 +0800
		4	Subject: Fix for type confusion in preprocessing attributes
		5
		6	CVE-2015-7995 http://www.openwall.com/lists/oss-security/2015/10/27/10
		7	We need to check that the parent node is an element before dereferencing
		8	its namespace
		9
		10	Upstream-Status: Backport
		11
		12	https://git.gnome.org/browse/libxslt/commit/?id=7ca19df892ca22d9314e95d59ce2abdeff46b617
		13
		14	Signed-off-by: Armin Kuster <akuster@mvista.com>
		15
		16	---
		17	libxslt/preproc.c \| 3 ++-
		18	1 file changed, 2 insertions(+), 1 deletion(-)
		19
		20	Index: libxslt-1.1.28/libxslt/preproc.c
		21	===================================================================
		22	--- libxslt-1.1.28.orig/libxslt/preproc.c
		23	+++ libxslt-1.1.28/libxslt/preproc.c
		24	@@ -2245,7 +2245,8 @@ xsltStylePreCompute(xsltStylesheetPtr st
		25	} else if (IS_XSLT_NAME(inst, "attribute")) {
		26	xmlNodePtr parent = inst->parent;
		27
		28	- if ((parent == NULL) \|\| (parent->ns == NULL) \|\|
		29	+ if ((parent == NULL) \|\|
		30	+ (parent->type != XML_ELEMENT_NODE) \|\| (parent->ns == NULL) \|\|
		31	((parent->ns != inst->ns) &&
		32	(!xmlStrEqual(parent->ns->href, inst->ns->href))) \|\|
		33	(!xmlStrEqual(parent->name, BAD_CAST "attribute-set"))) {


diff --git a/meta/recipes-support/libxslt/libxslt_1.1.28.bb b/meta/recipes-support/libxslt/libxslt_1.1.28.bb index 166bcd86e7..87fabecda0 100644 --- a/meta/recipes-support/libxslt/libxslt_1.1.28.bb +++ b/meta/recipes-support/libxslt/libxslt_1.1.28.bb
@@ -10,7 +10,8 @@ DEPENDS = "libxml2"
10		10
11	SRC_URI = "ftp://xmlsoft.org/libxslt//libxslt-${PV}.tar.gz \	11	SRC_URI = "ftp://xmlsoft.org/libxslt//libxslt-${PV}.tar.gz \
12	file://pkgconfig_fix.patch \	12	file://pkgconfig_fix.patch \
13	file://pkgconfig.patch"	13	file://pkgconfig.patch \
		14	file://CVE-2015-7995.patch"
14		15
15	SRC_URI[md5sum] = "9667bf6f9310b957254fdcf6596600b7"	16	SRC_URI[md5sum] = "9667bf6f9310b957254fdcf6596600b7"
16	SRC_URI[sha256sum] = "5fc7151a57b89c03d7b825df5a0fae0a8d5f05674c0e7cf2937ecec4d54a028c"	17	SRC_URI[sha256sum] = "5fc7151a57b89c03d7b825df5a0fae0a8d5f05674c0e7cf2937ecec4d54a028c"