diff options
author | Anuj Mittal <anuj.mittal@intel.com> | 2019-07-10 10:37:24 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-07-11 09:32:50 +0100 |
commit | 78e9bc140e2c5d8a37e53eeb849d8a5aa061a410 (patch) | |
tree | 97aa8747cc7f3e619c84dea241928ac4738ad9fc /meta | |
parent | 3c5f407923ff288a93a349074bfbf3f764d3e264 (diff) | |
download | poky-78e9bc140e2c5d8a37e53eeb849d8a5aa061a410.tar.gz |
libxslt: fix CVE-2019-13117 CVE-2019-13118
(From OE-Core rev: 7dc3048fec88dd62ef49ef16517b7382ab7cf2a5)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-support/libxslt/files/CVE-2019-13117.patch | 33 | ||||
-rw-r--r-- | meta/recipes-support/libxslt/files/CVE-2019-13118.patch | 76 | ||||
-rw-r--r-- | meta/recipes-support/libxslt/libxslt_1.1.33.bb | 2 |
3 files changed, 111 insertions, 0 deletions
diff --git a/meta/recipes-support/libxslt/files/CVE-2019-13117.patch b/meta/recipes-support/libxslt/files/CVE-2019-13117.patch new file mode 100644 index 0000000000..ef3f2709f7 --- /dev/null +++ b/meta/recipes-support/libxslt/files/CVE-2019-13117.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From c5eb6cf3aba0af048596106ed839b4ae17ecbcb1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Wellnhofer <wellnhofer@aevum.de> | ||
3 | Date: Sat, 27 Apr 2019 11:19:48 +0200 | ||
4 | Subject: [PATCH] Fix uninitialized read of xsl:number token | ||
5 | |||
6 | Found by OSS-Fuzz. | ||
7 | |||
8 | CVE: CVE-2019-13117 | ||
9 | Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1] | ||
10 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
11 | --- | ||
12 | libxslt/numbers.c | 5 ++++- | ||
13 | 1 file changed, 4 insertions(+), 1 deletion(-) | ||
14 | |||
15 | diff --git a/libxslt/numbers.c b/libxslt/numbers.c | ||
16 | index 89e1f668..75c31eba 100644 | ||
17 | --- a/libxslt/numbers.c | ||
18 | +++ b/libxslt/numbers.c | ||
19 | @@ -382,7 +382,10 @@ xsltNumberFormatTokenize(const xmlChar *format, | ||
20 | tokens->tokens[tokens->nTokens].token = val - 1; | ||
21 | ix += len; | ||
22 | val = xmlStringCurrentChar(NULL, format+ix, &len); | ||
23 | - } | ||
24 | + } else { | ||
25 | + tokens->tokens[tokens->nTokens].token = (xmlChar)'0'; | ||
26 | + tokens->tokens[tokens->nTokens].width = 1; | ||
27 | + } | ||
28 | } else if ( (val == (xmlChar)'A') || | ||
29 | (val == (xmlChar)'a') || | ||
30 | (val == (xmlChar)'I') || | ||
31 | -- | ||
32 | 2.21.0 | ||
33 | |||
diff --git a/meta/recipes-support/libxslt/files/CVE-2019-13118.patch b/meta/recipes-support/libxslt/files/CVE-2019-13118.patch new file mode 100644 index 0000000000..595e6c2f33 --- /dev/null +++ b/meta/recipes-support/libxslt/files/CVE-2019-13118.patch | |||
@@ -0,0 +1,76 @@ | |||
1 | From 6ce8de69330783977dd14f6569419489875fb71b Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Wellnhofer <wellnhofer@aevum.de> | ||
3 | Date: Mon, 3 Jun 2019 13:14:45 +0200 | ||
4 | Subject: [PATCH] Fix uninitialized read with UTF-8 grouping chars | ||
5 | |||
6 | The character type in xsltFormatNumberConversion was too narrow and | ||
7 | an invalid character/length combination could be passed to | ||
8 | xsltNumberFormatDecimal, resulting in an uninitialized read. | ||
9 | |||
10 | Found by OSS-Fuzz. | ||
11 | |||
12 | CVE: CVE-2019-13118 | ||
13 | Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b] | ||
14 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
15 | |||
16 | --- | ||
17 | libxslt/numbers.c | 5 +++-- | ||
18 | tests/docs/bug-222.xml | 1 + | ||
19 | tests/general/bug-222.out | 2 ++ | ||
20 | tests/general/bug-222.xsl | 6 ++++++ | ||
21 | 4 files changed, 12 insertions(+), 2 deletions(-) | ||
22 | create mode 100644 tests/docs/bug-222.xml | ||
23 | create mode 100644 tests/general/bug-222.out | ||
24 | create mode 100644 tests/general/bug-222.xsl | ||
25 | |||
26 | diff --git a/libxslt/numbers.c b/libxslt/numbers.c | ||
27 | index f1ed8846..20b99d5a 100644 | ||
28 | --- a/libxslt/numbers.c | ||
29 | +++ b/libxslt/numbers.c | ||
30 | @@ -1298,13 +1298,14 @@ OUTPUT_NUMBER: | ||
31 | number = floor((scale * number + 0.5)) / scale; | ||
32 | if ((self->grouping != NULL) && | ||
33 | (self->grouping[0] != 0)) { | ||
34 | + int gchar; | ||
35 | |||
36 | len = xmlStrlen(self->grouping); | ||
37 | - pchar = xsltGetUTF8Char(self->grouping, &len); | ||
38 | + gchar = xsltGetUTF8Char(self->grouping, &len); | ||
39 | xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0], | ||
40 | format_info.integer_digits, | ||
41 | format_info.group, | ||
42 | - pchar, len); | ||
43 | + gchar, len); | ||
44 | } else | ||
45 | xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0], | ||
46 | format_info.integer_digits, | ||
47 | diff --git a/tests/docs/bug-222.xml b/tests/docs/bug-222.xml | ||
48 | new file mode 100644 | ||
49 | index 00000000..69d62f2c | ||
50 | --- /dev/null | ||
51 | +++ b/tests/docs/bug-222.xml | ||
52 | @@ -0,0 +1 @@ | ||
53 | +<doc/> | ||
54 | diff --git a/tests/general/bug-222.out b/tests/general/bug-222.out | ||
55 | new file mode 100644 | ||
56 | index 00000000..e3139698 | ||
57 | --- /dev/null | ||
58 | +++ b/tests/general/bug-222.out | ||
59 | @@ -0,0 +1,2 @@ | ||
60 | +<?xml version="1.0"?> | ||
61 | +1⠢0 | ||
62 | diff --git a/tests/general/bug-222.xsl b/tests/general/bug-222.xsl | ||
63 | new file mode 100644 | ||
64 | index 00000000..e32dc473 | ||
65 | --- /dev/null | ||
66 | +++ b/tests/general/bug-222.xsl | ||
67 | @@ -0,0 +1,6 @@ | ||
68 | +<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0"> | ||
69 | + <xsl:decimal-format name="f" grouping-separator="⠢"/> | ||
70 | + <xsl:template match="/"> | ||
71 | + <xsl:value-of select="format-number(10,'#⠢0','f')"/> | ||
72 | + </xsl:template> | ||
73 | +</xsl:stylesheet> | ||
74 | -- | ||
75 | 2.21.0 | ||
76 | |||
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.33.bb b/meta/recipes-support/libxslt/libxslt_1.1.33.bb index 6320a821dc..abc00a09ea 100644 --- a/meta/recipes-support/libxslt/libxslt_1.1.33.bb +++ b/meta/recipes-support/libxslt/libxslt_1.1.33.bb | |||
@@ -10,6 +10,8 @@ DEPENDS = "libxml2" | |||
10 | 10 | ||
11 | SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz \ | 11 | SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz \ |
12 | file://0001-Fix-security-framework-bypass.patch \ | 12 | file://0001-Fix-security-framework-bypass.patch \ |
13 | file://CVE-2019-13117.patch \ | ||
14 | file://CVE-2019-13118.patch \ | ||
13 | " | 15 | " |
14 | 16 | ||
15 | SRC_URI[md5sum] = "b3bd254a03e46d58f8ad1e4559cd2c2f" | 17 | SRC_URI[md5sum] = "b3bd254a03e46d58f8ad1e4559cd2c2f" |