summaryrefslogtreecommitdiffstats
path: root/meta/recipes-support/libxslt
diff options
context:
space:
mode:
authorAdrian Bunk <bunk@stusta.de>2019-06-19 20:54:29 +0300
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-06-21 00:33:22 +0100
commit31612633c606254e05f4a9f59dc40f40d99ea8a5 (patch)
treedee369ab2f381a78a8fc08f676844bed0b58981e /meta/recipes-support/libxslt
parent504be958d51fd77eb6a51038134975f0e27cc93e (diff)
downloadpoky-31612633c606254e05f4a9f59dc40f40d99ea8a5.tar.gz
libxslt: Fix CVE-2019-11068
(From OE-Core rev: 5c0dc2a21e6ab1da9ea3943050793a52c742e539) Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-support/libxslt')
-rw-r--r--meta/recipes-support/libxslt/files/0001-Fix-security-framework-bypass.patch124
-rw-r--r--meta/recipes-support/libxslt/libxslt_1.1.33.bb4
2 files changed, 127 insertions, 1 deletions
diff --git a/meta/recipes-support/libxslt/files/0001-Fix-security-framework-bypass.patch b/meta/recipes-support/libxslt/files/0001-Fix-security-framework-bypass.patch
new file mode 100644
index 0000000000..89b647ddbf
--- /dev/null
+++ b/meta/recipes-support/libxslt/files/0001-Fix-security-framework-bypass.patch
@@ -0,0 +1,124 @@
1From e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Sun, 24 Mar 2019 09:51:39 +0100
4Subject: Fix security framework bypass
5
6xsltCheckRead and xsltCheckWrite return -1 in case of error but callers
7don't check for this condition and allow access. With a specially
8crafted URL, xsltCheckRead could be tricked into returning an error
9because of a supposedly invalid URL that would still be loaded
10succesfully later on.
11
12Fixes #12.
13
14Thanks to Felix Wilhelm for the report.
15
16Signed-off-by: Adrian Bunk <bunk@stusta.de>
17Upstream-Status: Backport
18CVE: CVE-2019-11068
19---
20 libxslt/documents.c | 18 ++++++++++--------
21 libxslt/imports.c | 9 +++++----
22 libxslt/transform.c | 9 +++++----
23 libxslt/xslt.c | 9 +++++----
24 4 files changed, 25 insertions(+), 20 deletions(-)
25
26diff --git a/libxslt/documents.c b/libxslt/documents.c
27index 3f3a7312..4aad11bb 100644
28--- a/libxslt/documents.c
29+++ b/libxslt/documents.c
30@@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) {
31 int res;
32
33 res = xsltCheckRead(ctxt->sec, ctxt, URI);
34- if (res == 0) {
35- xsltTransformError(ctxt, NULL, NULL,
36- "xsltLoadDocument: read rights for %s denied\n",
37- URI);
38+ if (res <= 0) {
39+ if (res == 0)
40+ xsltTransformError(ctxt, NULL, NULL,
41+ "xsltLoadDocument: read rights for %s denied\n",
42+ URI);
43 return(NULL);
44 }
45 }
46@@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) {
47 int res;
48
49 res = xsltCheckRead(sec, NULL, URI);
50- if (res == 0) {
51- xsltTransformError(NULL, NULL, NULL,
52- "xsltLoadStyleDocument: read rights for %s denied\n",
53- URI);
54+ if (res <= 0) {
55+ if (res == 0)
56+ xsltTransformError(NULL, NULL, NULL,
57+ "xsltLoadStyleDocument: read rights for %s denied\n",
58+ URI);
59 return(NULL);
60 }
61 }
62diff --git a/libxslt/imports.c b/libxslt/imports.c
63index 874870cc..3783b247 100644
64--- a/libxslt/imports.c
65+++ b/libxslt/imports.c
66@@ -130,10 +130,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) {
67 int secres;
68
69 secres = xsltCheckRead(sec, NULL, URI);
70- if (secres == 0) {
71- xsltTransformError(NULL, NULL, NULL,
72- "xsl:import: read rights for %s denied\n",
73- URI);
74+ if (secres <= 0) {
75+ if (secres == 0)
76+ xsltTransformError(NULL, NULL, NULL,
77+ "xsl:import: read rights for %s denied\n",
78+ URI);
79 goto error;
80 }
81 }
82diff --git a/libxslt/transform.c b/libxslt/transform.c
83index 13793914..0636dbd0 100644
84--- a/libxslt/transform.c
85+++ b/libxslt/transform.c
86@@ -3493,10 +3493,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node,
87 */
88 if (ctxt->sec != NULL) {
89 ret = xsltCheckWrite(ctxt->sec, ctxt, filename);
90- if (ret == 0) {
91- xsltTransformError(ctxt, NULL, inst,
92- "xsltDocumentElem: write rights for %s denied\n",
93- filename);
94+ if (ret <= 0) {
95+ if (ret == 0)
96+ xsltTransformError(ctxt, NULL, inst,
97+ "xsltDocumentElem: write rights for %s denied\n",
98+ filename);
99 xmlFree(URL);
100 xmlFree(filename);
101 return;
102diff --git a/libxslt/xslt.c b/libxslt/xslt.c
103index 780a5ad7..a234eb79 100644
104--- a/libxslt/xslt.c
105+++ b/libxslt/xslt.c
106@@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) {
107 int res;
108
109 res = xsltCheckRead(sec, NULL, filename);
110- if (res == 0) {
111- xsltTransformError(NULL, NULL, NULL,
112- "xsltParseStylesheetFile: read rights for %s denied\n",
113- filename);
114+ if (res <= 0) {
115+ if (res == 0)
116+ xsltTransformError(NULL, NULL, NULL,
117+ "xsltParseStylesheetFile: read rights for %s denied\n",
118+ filename);
119 return(NULL);
120 }
121 }
122--
1232.20.1
124
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.33.bb b/meta/recipes-support/libxslt/libxslt_1.1.33.bb
index 462eccf52f..6320a821dc 100644
--- a/meta/recipes-support/libxslt/libxslt_1.1.33.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.33.bb
@@ -8,7 +8,9 @@ LIC_FILES_CHKSUM = "file://Copyright;md5=0cd9a07afbeb24026c9b03aecfeba458"
8SECTION = "libs" 8SECTION = "libs"
9DEPENDS = "libxml2" 9DEPENDS = "libxml2"
10 10
11SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz" 11SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz \
12 file://0001-Fix-security-framework-bypass.patch \
13"
12 14
13SRC_URI[md5sum] = "b3bd254a03e46d58f8ad1e4559cd2c2f" 15SRC_URI[md5sum] = "b3bd254a03e46d58f8ad1e4559cd2c2f"
14SRC_URI[sha256sum] = "8e36605144409df979cab43d835002f63988f3dc94d5d3537c12796db90e38c8" 16SRC_URI[sha256sum] = "8e36605144409df979cab43d835002f63988f3dc94d5d3537c12796db90e38c8"