summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorAnuj Mittal <anuj.mittal@intel.com>2019-07-10 10:37:24 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-07-11 09:32:50 +0100
commit78e9bc140e2c5d8a37e53eeb849d8a5aa061a410 (patch)
tree97aa8747cc7f3e619c84dea241928ac4738ad9fc /meta
parent3c5f407923ff288a93a349074bfbf3f764d3e264 (diff)
downloadpoky-78e9bc140e2c5d8a37e53eeb849d8a5aa061a410.tar.gz
libxslt: fix CVE-2019-13117 CVE-2019-13118
(From OE-Core rev: 7dc3048fec88dd62ef49ef16517b7382ab7cf2a5) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-support/libxslt/files/CVE-2019-13117.patch33
-rw-r--r--meta/recipes-support/libxslt/files/CVE-2019-13118.patch76
-rw-r--r--meta/recipes-support/libxslt/libxslt_1.1.33.bb2
3 files changed, 111 insertions, 0 deletions
diff --git a/meta/recipes-support/libxslt/files/CVE-2019-13117.patch b/meta/recipes-support/libxslt/files/CVE-2019-13117.patch
new file mode 100644
index 0000000000..ef3f2709f7
--- /dev/null
+++ b/meta/recipes-support/libxslt/files/CVE-2019-13117.patch
@@ -0,0 +1,33 @@
1From c5eb6cf3aba0af048596106ed839b4ae17ecbcb1 Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Sat, 27 Apr 2019 11:19:48 +0200
4Subject: [PATCH] Fix uninitialized read of xsl:number token
5
6Found by OSS-Fuzz.
7
8CVE: CVE-2019-13117
9Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1]
10Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
11---
12 libxslt/numbers.c | 5 ++++-
13 1 file changed, 4 insertions(+), 1 deletion(-)
14
15diff --git a/libxslt/numbers.c b/libxslt/numbers.c
16index 89e1f668..75c31eba 100644
17--- a/libxslt/numbers.c
18+++ b/libxslt/numbers.c
19@@ -382,7 +382,10 @@ xsltNumberFormatTokenize(const xmlChar *format,
20 tokens->tokens[tokens->nTokens].token = val - 1;
21 ix += len;
22 val = xmlStringCurrentChar(NULL, format+ix, &len);
23- }
24+ } else {
25+ tokens->tokens[tokens->nTokens].token = (xmlChar)'0';
26+ tokens->tokens[tokens->nTokens].width = 1;
27+ }
28 } else if ( (val == (xmlChar)'A') ||
29 (val == (xmlChar)'a') ||
30 (val == (xmlChar)'I') ||
31--
322.21.0
33
diff --git a/meta/recipes-support/libxslt/files/CVE-2019-13118.patch b/meta/recipes-support/libxslt/files/CVE-2019-13118.patch
new file mode 100644
index 0000000000..595e6c2f33
--- /dev/null
+++ b/meta/recipes-support/libxslt/files/CVE-2019-13118.patch
@@ -0,0 +1,76 @@
1From 6ce8de69330783977dd14f6569419489875fb71b Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Mon, 3 Jun 2019 13:14:45 +0200
4Subject: [PATCH] Fix uninitialized read with UTF-8 grouping chars
5
6The character type in xsltFormatNumberConversion was too narrow and
7an invalid character/length combination could be passed to
8xsltNumberFormatDecimal, resulting in an uninitialized read.
9
10Found by OSS-Fuzz.
11
12CVE: CVE-2019-13118
13Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b]
14Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
15
16---
17 libxslt/numbers.c | 5 +++--
18 tests/docs/bug-222.xml | 1 +
19 tests/general/bug-222.out | 2 ++
20 tests/general/bug-222.xsl | 6 ++++++
21 4 files changed, 12 insertions(+), 2 deletions(-)
22 create mode 100644 tests/docs/bug-222.xml
23 create mode 100644 tests/general/bug-222.out
24 create mode 100644 tests/general/bug-222.xsl
25
26diff --git a/libxslt/numbers.c b/libxslt/numbers.c
27index f1ed8846..20b99d5a 100644
28--- a/libxslt/numbers.c
29+++ b/libxslt/numbers.c
30@@ -1298,13 +1298,14 @@ OUTPUT_NUMBER:
31 number = floor((scale * number + 0.5)) / scale;
32 if ((self->grouping != NULL) &&
33 (self->grouping[0] != 0)) {
34+ int gchar;
35
36 len = xmlStrlen(self->grouping);
37- pchar = xsltGetUTF8Char(self->grouping, &len);
38+ gchar = xsltGetUTF8Char(self->grouping, &len);
39 xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
40 format_info.integer_digits,
41 format_info.group,
42- pchar, len);
43+ gchar, len);
44 } else
45 xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
46 format_info.integer_digits,
47diff --git a/tests/docs/bug-222.xml b/tests/docs/bug-222.xml
48new file mode 100644
49index 00000000..69d62f2c
50--- /dev/null
51+++ b/tests/docs/bug-222.xml
52@@ -0,0 +1 @@
53+<doc/>
54diff --git a/tests/general/bug-222.out b/tests/general/bug-222.out
55new file mode 100644
56index 00000000..e3139698
57--- /dev/null
58+++ b/tests/general/bug-222.out
59@@ -0,0 +1,2 @@
60+<?xml version="1.0"?>
61+1⠢0
62diff --git a/tests/general/bug-222.xsl b/tests/general/bug-222.xsl
63new file mode 100644
64index 00000000..e32dc473
65--- /dev/null
66+++ b/tests/general/bug-222.xsl
67@@ -0,0 +1,6 @@
68+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
69+ <xsl:decimal-format name="f" grouping-separator="⠢"/>
70+ <xsl:template match="/">
71+ <xsl:value-of select="format-number(10,'#⠢0','f')"/>
72+ </xsl:template>
73+</xsl:stylesheet>
74--
752.21.0
76
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.33.bb b/meta/recipes-support/libxslt/libxslt_1.1.33.bb
index 6320a821dc..abc00a09ea 100644
--- a/meta/recipes-support/libxslt/libxslt_1.1.33.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.33.bb
@@ -10,6 +10,8 @@ DEPENDS = "libxml2"
10 10
11SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz \ 11SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz \
12 file://0001-Fix-security-framework-bypass.patch \ 12 file://0001-Fix-security-framework-bypass.patch \
13 file://CVE-2019-13117.patch \
14 file://CVE-2019-13118.patch \
13" 15"
14 16
15SRC_URI[md5sum] = "b3bd254a03e46d58f8ad1e4559cd2c2f" 17SRC_URI[md5sum] = "b3bd254a03e46d58f8ad1e4559cd2c2f"