libxslt: Fix CVE-2019-11068

(From OE-Core rev: 5c0dc2a21e6ab1da9ea3943050793a52c742e539) Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Adrian Bunk <bunk@stusta.de> 2019-06-19 20:54:29 +0300
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-06-21 00:33:22 +0100
commit: 31612633c606254e05f4a9f59dc40f40d99ea8a5 (patch)
tree: dee369ab2f381a78a8fc08f676844bed0b58981e /meta/recipes-support/libxslt
parent: 504be958d51fd77eb6a51038134975f0e27cc93e (diff)
download: poky-31612633c606254e05f4a9f59dc40f40d99ea8a5.tar.gz
2 files changed, 127 insertions, 1 deletions
diff --git a/meta/recipes-support/libxslt/files/0001-Fix-security-framework-bypass.patch b/meta/recipes-support/libxslt/files/0001-Fix-security-framework-bypass.patch
new file mode 100644
index 0000000000..89b647ddbf
--- /dev/null
+++ b/meta/recipes-support/libxslt/files/0001-Fix-security-framework-bypass.patch
@@ -0,0 +1,124 @@
+From e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sun, 24 Mar 2019 09:51:39 +0100
+Subject: Fix security framework bypass
+xsltCheckRead and xsltCheckWrite return -1 in case of error but callers
+don't check for this condition and allow access. With a specially
+crafted URL, xsltCheckRead could be tricked into returning an error
+because of a supposedly invalid URL that would still be loaded
+succesfully later on.
+Fixes #12.
+Thanks to Felix Wilhelm for the report.
+Signed-off-by: Adrian Bunk <bunk@stusta.de>
+Upstream-Status: Backport
+CVE: CVE-2019-11068
+---
+ libxslt/documents.c | 18 ++++++++++--------
+ libxslt/imports.c   |  9 +++++----
+ libxslt/transform.c |  9 +++++----
+ libxslt/xslt.c      |  9 +++++----
+ 4 files changed, 25 insertions(+), 20 deletions(-)
+diff --git a/libxslt/documents.c b/libxslt/documents.c
+index 3f3a7312..4aad11bb 100644
+--- a/libxslt/documents.c
+++ b/libxslt/documents.c
+@@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) {
+        int res;
+ 
+        res = xsltCheckRead(ctxt->sec, ctxt, URI);
+-       if (res == 0) {
+-           xsltTransformError(ctxt, NULL, NULL,
+-                "xsltLoadDocument: read rights for %s denied\n",
+-                            URI);
+       if (res <= 0) {
+            if (res == 0)
+                xsltTransformError(ctxt, NULL, NULL,
+                     "xsltLoadDocument: read rights for %s denied\n",
+                                 URI);
+            return(NULL);
+        }
+     }
+@@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) {
+        int res;
+ 
+        res = xsltCheckRead(sec, NULL, URI);
+-       if (res == 0) {
+-           xsltTransformError(NULL, NULL, NULL,
+-                "xsltLoadStyleDocument: read rights for %s denied\n",
+-                            URI);
+       if (res <= 0) {
+            if (res == 0)
+                xsltTransformError(NULL, NULL, NULL,
+                     "xsltLoadStyleDocument: read rights for %s denied\n",
+                                 URI);
+            return(NULL);
+        }
+     }
+diff --git a/libxslt/imports.c b/libxslt/imports.c
+index 874870cc..3783b247 100644
+--- a/libxslt/imports.c
+++ b/libxslt/imports.c
+@@ -130,10 +130,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) {
+        int secres;
+ 
+        secres = xsltCheckRead(sec, NULL, URI);
+-       if (secres == 0) {
+-           xsltTransformError(NULL, NULL, NULL,
+-                "xsl:import: read rights for %s denied\n",
+-                            URI);
+       if (secres <= 0) {
+            if (secres == 0)
+                xsltTransformError(NULL, NULL, NULL,
+                     "xsl:import: read rights for %s denied\n",
+                                 URI);
+            goto error;
+        }
+     }
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index 13793914..0636dbd0 100644
+--- a/libxslt/transform.c
+++ b/libxslt/transform.c
+@@ -3493,10 +3493,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node,
+      */
+     if (ctxt->sec != NULL) {
+        ret = xsltCheckWrite(ctxt->sec, ctxt, filename);
+-       if (ret == 0) {
+-           xsltTransformError(ctxt, NULL, inst,
+-                "xsltDocumentElem: write rights for %s denied\n",
+-                            filename);
+       if (ret <= 0) {
+            if (ret == 0)
+                xsltTransformError(ctxt, NULL, inst,
+                     "xsltDocumentElem: write rights for %s denied\n",
+                                 filename);
+            xmlFree(URL);
+            xmlFree(filename);
+            return;
+diff --git a/libxslt/xslt.c b/libxslt/xslt.c
+index 780a5ad7..a234eb79 100644
+--- a/libxslt/xslt.c
+++ b/libxslt/xslt.c
+@@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) {
+        int res;
+ 
+        res = xsltCheckRead(sec, NULL, filename);
+-       if (res == 0) {
+-           xsltTransformError(NULL, NULL, NULL,
+-                "xsltParseStylesheetFile: read rights for %s denied\n",
+-                            filename);
+       if (res <= 0) {
+            if (res == 0)
+                xsltTransformError(NULL, NULL, NULL,
+                     "xsltParseStylesheetFile: read rights for %s denied\n",
+                                 filename);
+            return(NULL);
+        }
+     }
+-- 
+2.20.1
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.33.bb b/meta/recipes-support/libxslt/libxslt_1.1.33.bb
index 462eccf52f..6320a821dc 100644
--- a/meta/recipes-support/libxslt/libxslt_1.1.33.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.33.bb
@@ -8,7 +8,9 @@ LIC_FILES_CHKSUM = "file://Copyright;md5=0cd9a07afbeb24026c9b03aecfeba458"
 SECTION = "libs"
 DEPENDS = "libxml2"
-SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz"
+SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz \
+           file://0001-Fix-security-framework-bypass.patch \
+"
 SRC_URI[md5sum] = "b3bd254a03e46d58f8ad1e4559cd2c2f"
 SRC_URI[sha256sum] = "8e36605144409df979cab43d835002f63988f3dc94d5d3537c12796db90e38c8"
author	Adrian Bunk <bunk@stusta.de>	2019-06-19 20:54:29 +0300
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-06-21 00:33:22 +0100
commit	31612633c606254e05f4a9f59dc40f40d99ea8a5 (patch)
tree	dee369ab2f381a78a8fc08f676844bed0b58981e /meta/recipes-support/libxslt
parent	504be958d51fd77eb6a51038134975f0e27cc93e (diff)
download	poky-31612633c606254e05f4a9f59dc40f40d99ea8a5.tar.gz

diff --git a/meta/recipes-support/libxslt/files/0001-Fix-security-framework-bypass.patch b/meta/recipes-support/libxslt/files/0001-Fix-security-framework-bypass.patch new file mode 100644 index 0000000000..89b647ddbf --- /dev/null +++ b/meta/recipes-support/libxslt/files/0001-Fix-security-framework-bypass.patch
@@ -0,0 +1,124 @@
		1	From e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 Mon Sep 17 00:00:00 2001
		2	From: Nick Wellnhofer <wellnhofer@aevum.de>
		3	Date: Sun, 24 Mar 2019 09:51:39 +0100
		4	Subject: Fix security framework bypass
		5
		6	xsltCheckRead and xsltCheckWrite return -1 in case of error but callers
		7	don't check for this condition and allow access. With a specially
		8	crafted URL, xsltCheckRead could be tricked into returning an error
		9	because of a supposedly invalid URL that would still be loaded
		10	succesfully later on.
		11
		12	Fixes #12.
		13
		14	Thanks to Felix Wilhelm for the report.
		15
		16	Signed-off-by: Adrian Bunk <bunk@stusta.de>
		17	Upstream-Status: Backport
		18	CVE: CVE-2019-11068
		19	---
		20	libxslt/documents.c \| 18 ++++++++++--------
		21	libxslt/imports.c \| 9 +++++----
		22	libxslt/transform.c \| 9 +++++----
		23	libxslt/xslt.c \| 9 +++++----
		24	4 files changed, 25 insertions(+), 20 deletions(-)
		25
		26	diff --git a/libxslt/documents.c b/libxslt/documents.c
		27	index 3f3a7312..4aad11bb 100644
		28	--- a/libxslt/documents.c
		29	+++ b/libxslt/documents.c
		30	@@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) {
		31	int res;
		32
		33	res = xsltCheckRead(ctxt->sec, ctxt, URI);
		34	- if (res == 0) {
		35	- xsltTransformError(ctxt, NULL, NULL,
		36	- "xsltLoadDocument: read rights for %s denied\n",
		37	- URI);
		38	+ if (res <= 0) {
		39	+ if (res == 0)
		40	+ xsltTransformError(ctxt, NULL, NULL,
		41	+ "xsltLoadDocument: read rights for %s denied\n",
		42	+ URI);
		43	return(NULL);
		44	}
		45	}
		46	@@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) {
		47	int res;
		48
		49	res = xsltCheckRead(sec, NULL, URI);
		50	- if (res == 0) {
		51	- xsltTransformError(NULL, NULL, NULL,
		52	- "xsltLoadStyleDocument: read rights for %s denied\n",
		53	- URI);
		54	+ if (res <= 0) {
		55	+ if (res == 0)
		56	+ xsltTransformError(NULL, NULL, NULL,
		57	+ "xsltLoadStyleDocument: read rights for %s denied\n",
		58	+ URI);
		59	return(NULL);
		60	}
		61	}
		62	diff --git a/libxslt/imports.c b/libxslt/imports.c
		63	index 874870cc..3783b247 100644
		64	--- a/libxslt/imports.c
		65	+++ b/libxslt/imports.c
		66	@@ -130,10 +130,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) {
		67	int secres;
		68
		69	secres = xsltCheckRead(sec, NULL, URI);
		70	- if (secres == 0) {
		71	- xsltTransformError(NULL, NULL, NULL,
		72	- "xsl:import: read rights for %s denied\n",
		73	- URI);
		74	+ if (secres <= 0) {
		75	+ if (secres == 0)
		76	+ xsltTransformError(NULL, NULL, NULL,
		77	+ "xsl:import: read rights for %s denied\n",
		78	+ URI);
		79	goto error;
		80	}
		81	}
		82	diff --git a/libxslt/transform.c b/libxslt/transform.c
		83	index 13793914..0636dbd0 100644
		84	--- a/libxslt/transform.c
		85	+++ b/libxslt/transform.c
		86	@@ -3493,10 +3493,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node,
		87	*/
		88	if (ctxt->sec != NULL) {
		89	ret = xsltCheckWrite(ctxt->sec, ctxt, filename);
		90	- if (ret == 0) {
		91	- xsltTransformError(ctxt, NULL, inst,
		92	- "xsltDocumentElem: write rights for %s denied\n",
		93	- filename);
		94	+ if (ret <= 0) {
		95	+ if (ret == 0)
		96	+ xsltTransformError(ctxt, NULL, inst,
		97	+ "xsltDocumentElem: write rights for %s denied\n",
		98	+ filename);
		99	xmlFree(URL);
		100	xmlFree(filename);
		101	return;
		102	diff --git a/libxslt/xslt.c b/libxslt/xslt.c
		103	index 780a5ad7..a234eb79 100644
		104	--- a/libxslt/xslt.c
		105	+++ b/libxslt/xslt.c
		106	@@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) {
		107	int res;
		108
		109	res = xsltCheckRead(sec, NULL, filename);
		110	- if (res == 0) {
		111	- xsltTransformError(NULL, NULL, NULL,
		112	- "xsltParseStylesheetFile: read rights for %s denied\n",
		113	- filename);
		114	+ if (res <= 0) {
		115	+ if (res == 0)
		116	+ xsltTransformError(NULL, NULL, NULL,
		117	+ "xsltParseStylesheetFile: read rights for %s denied\n",
		118	+ filename);
		119	return(NULL);
		120	}
		121	}
		122	--
		123	2.20.1
		124


diff --git a/meta/recipes-support/libxslt/libxslt_1.1.33.bb b/meta/recipes-support/libxslt/libxslt_1.1.33.bb index 462eccf52f..6320a821dc 100644 --- a/meta/recipes-support/libxslt/libxslt_1.1.33.bb +++ b/meta/recipes-support/libxslt/libxslt_1.1.33.bb
@@ -8,7 +8,9 @@ LIC_FILES_CHKSUM = "file://Copyright;md5=0cd9a07afbeb24026c9b03aecfeba458"
8	SECTION = "libs"	8	SECTION = "libs"
9	DEPENDS = "libxml2"	9	DEPENDS = "libxml2"
10		10
11	SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz"	11	SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz \
		12	file://0001-Fix-security-framework-bypass.patch \
		13	"
12		14
13	SRC_URI[md5sum] = "b3bd254a03e46d58f8ad1e4559cd2c2f"	15	SRC_URI[md5sum] = "b3bd254a03e46d58f8ad1e4559cd2c2f"
14	SRC_URI[sha256sum] = "8e36605144409df979cab43d835002f63988f3dc94d5d3537c12796db90e38c8"	16	SRC_URI[sha256sum] = "8e36605144409df979cab43d835002f63988f3dc94d5d3537c12796db90e38c8"