diff options
Diffstat (limited to 'meta/recipes-support/libxslt')
| -rw-r--r-- | meta/recipes-support/libxslt/libxslt/CVE-2021-30560.patch | 201 | ||||
| -rw-r--r-- | meta/recipes-support/libxslt/libxslt_1.1.34.bb | 10 |
2 files changed, 211 insertions, 0 deletions
diff --git a/meta/recipes-support/libxslt/libxslt/CVE-2021-30560.patch b/meta/recipes-support/libxslt/libxslt/CVE-2021-30560.patch new file mode 100644 index 0000000000..614047ea7a --- /dev/null +++ b/meta/recipes-support/libxslt/libxslt/CVE-2021-30560.patch | |||
| @@ -0,0 +1,201 @@ | |||
| 1 | From 50f9c9cd3b7dfe9b3c8c795247752d1fdcadcac8 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Nick Wellnhofer <wellnhofer@aevum.de> | ||
| 3 | Date: Sat, 12 Jun 2021 20:02:53 +0200 | ||
| 4 | Subject: [PATCH] Fix use-after-free in xsltApplyTemplates | ||
| 5 | |||
| 6 | xsltApplyTemplates without a select expression could delete nodes in | ||
| 7 | the source document. | ||
| 8 | |||
| 9 | 1. Text nodes with strippable whitespace | ||
| 10 | |||
| 11 | Whitespace from input documents is already stripped, so there's no | ||
| 12 | need to strip it again. Under certain circumstances, xsltApplyTemplates | ||
| 13 | could be fooled into deleting text nodes that are still referenced, | ||
| 14 | resulting in a use-after-free. | ||
| 15 | |||
| 16 | 2. The DTD | ||
| 17 | |||
| 18 | The DTD was only unlinked, but there's no good reason to do this just | ||
| 19 | now. Maybe it was meant as a micro-optimization. | ||
| 20 | |||
| 21 | 3. Unknown nodes | ||
| 22 | |||
| 23 | Useless and dangerous as well, especially with XInclude nodes. | ||
| 24 | See https://gitlab.gnome.org/GNOME/libxml2/-/issues/268 | ||
| 25 | |||
| 26 | Simply stop trying to uselessly delete nodes when applying a template. | ||
| 27 | This part of the code is probably a leftover from a time where | ||
| 28 | xsltApplyStripSpaces wasn't implemented yet. Also note that | ||
| 29 | xsltApplyTemplates with a select expression never tried to delete | ||
| 30 | nodes. | ||
| 31 | |||
| 32 | Also stop xsltDefaultProcessOneNode from deleting nodes for the same | ||
| 33 | reasons. | ||
| 34 | |||
| 35 | This fixes CVE-2021-30560. | ||
| 36 | |||
| 37 | CVE: CVE-2021-30560 | ||
| 38 | Upstream-Status: Backport [https://github.com/GNOME/libxslt/commit/50f9c9cd3b7dfe9b3c8c795247752d1fdcadcac8.patch] | ||
| 39 | Comment: No change in any hunk | ||
| 40 | Signed-off-by: Omkar Patil <Omkar.Patil@kpit.com> | ||
| 41 | |||
| 42 | --- | ||
| 43 | libxslt/transform.c | 119 +++----------------------------------------- | ||
| 44 | 1 file changed, 7 insertions(+), 112 deletions(-) | ||
| 45 | |||
| 46 | diff --git a/libxslt/transform.c b/libxslt/transform.c | ||
| 47 | index 04522154..3aba354f 100644 | ||
| 48 | --- a/libxslt/transform.c | ||
| 49 | +++ b/libxslt/transform.c | ||
| 50 | @@ -1895,7 +1895,7 @@ static void | ||
| 51 | xsltDefaultProcessOneNode(xsltTransformContextPtr ctxt, xmlNodePtr node, | ||
| 52 | xsltStackElemPtr params) { | ||
| 53 | xmlNodePtr copy; | ||
| 54 | - xmlNodePtr delete = NULL, cur; | ||
| 55 | + xmlNodePtr cur; | ||
| 56 | int nbchild = 0, oldSize; | ||
| 57 | int childno = 0, oldPos; | ||
| 58 | xsltTemplatePtr template; | ||
| 59 | @@ -1968,54 +1968,13 @@ xsltDefaultProcessOneNode(xsltTransformContextPtr ctxt, xmlNodePtr node, | ||
| 60 | return; | ||
| 61 | } | ||
| 62 | /* | ||
| 63 | - * Handling of Elements: first pass, cleanup and counting | ||
| 64 | + * Handling of Elements: first pass, counting | ||
| 65 | */ | ||
| 66 | cur = node->children; | ||
| 67 | while (cur != NULL) { | ||
| 68 | - switch (cur->type) { | ||
| 69 | - case XML_TEXT_NODE: | ||
| 70 | - case XML_CDATA_SECTION_NODE: | ||
| 71 | - case XML_DOCUMENT_NODE: | ||
| 72 | - case XML_HTML_DOCUMENT_NODE: | ||
| 73 | - case XML_ELEMENT_NODE: | ||
| 74 | - case XML_PI_NODE: | ||
| 75 | - case XML_COMMENT_NODE: | ||
| 76 | - nbchild++; | ||
| 77 | - break; | ||
| 78 | - case XML_DTD_NODE: | ||
| 79 | - /* Unlink the DTD, it's still reachable using doc->intSubset */ | ||
| 80 | - if (cur->next != NULL) | ||
| 81 | - cur->next->prev = cur->prev; | ||
| 82 | - if (cur->prev != NULL) | ||
| 83 | - cur->prev->next = cur->next; | ||
| 84 | - break; | ||
| 85 | - default: | ||
| 86 | -#ifdef WITH_XSLT_DEBUG_PROCESS | ||
| 87 | - XSLT_TRACE(ctxt,XSLT_TRACE_PROCESS_NODE,xsltGenericDebug(xsltGenericDebugContext, | ||
| 88 | - "xsltDefaultProcessOneNode: skipping node type %d\n", | ||
| 89 | - cur->type)); | ||
| 90 | -#endif | ||
| 91 | - delete = cur; | ||
| 92 | - } | ||
| 93 | + if (IS_XSLT_REAL_NODE(cur)) | ||
| 94 | + nbchild++; | ||
| 95 | cur = cur->next; | ||
| 96 | - if (delete != NULL) { | ||
| 97 | -#ifdef WITH_XSLT_DEBUG_PROCESS | ||
| 98 | - XSLT_TRACE(ctxt,XSLT_TRACE_PROCESS_NODE,xsltGenericDebug(xsltGenericDebugContext, | ||
| 99 | - "xsltDefaultProcessOneNode: removing ignorable blank node\n")); | ||
| 100 | -#endif | ||
| 101 | - xmlUnlinkNode(delete); | ||
| 102 | - xmlFreeNode(delete); | ||
| 103 | - delete = NULL; | ||
| 104 | - } | ||
| 105 | - } | ||
| 106 | - if (delete != NULL) { | ||
| 107 | -#ifdef WITH_XSLT_DEBUG_PROCESS | ||
| 108 | - XSLT_TRACE(ctxt,XSLT_TRACE_PROCESS_NODE,xsltGenericDebug(xsltGenericDebugContext, | ||
| 109 | - "xsltDefaultProcessOneNode: removing ignorable blank node\n")); | ||
| 110 | -#endif | ||
| 111 | - xmlUnlinkNode(delete); | ||
| 112 | - xmlFreeNode(delete); | ||
| 113 | - delete = NULL; | ||
| 114 | } | ||
| 115 | |||
| 116 | /* | ||
| 117 | @@ -4864,7 +4823,7 @@ xsltApplyTemplates(xsltTransformContextPtr ctxt, xmlNodePtr node, | ||
| 118 | xsltStylePreCompPtr comp = (xsltStylePreCompPtr) castedComp; | ||
| 119 | #endif | ||
| 120 | int i; | ||
| 121 | - xmlNodePtr cur, delNode = NULL, oldContextNode; | ||
| 122 | + xmlNodePtr cur, oldContextNode; | ||
| 123 | xmlNodeSetPtr list = NULL, oldList; | ||
| 124 | xsltStackElemPtr withParams = NULL; | ||
| 125 | int oldXPProximityPosition, oldXPContextSize; | ||
| 126 | @@ -4998,73 +4957,9 @@ xsltApplyTemplates(xsltTransformContextPtr ctxt, xmlNodePtr node, | ||
| 127 | else | ||
| 128 | cur = NULL; | ||
| 129 | while (cur != NULL) { | ||
| 130 | - switch (cur->type) { | ||
| 131 | - case XML_TEXT_NODE: | ||
| 132 | - if ((IS_BLANK_NODE(cur)) && | ||
| 133 | - (cur->parent != NULL) && | ||
| 134 | - (cur->parent->type == XML_ELEMENT_NODE) && | ||
| 135 | - (ctxt->style->stripSpaces != NULL)) { | ||
| 136 | - const xmlChar *val; | ||
| 137 | - | ||
| 138 | - if (cur->parent->ns != NULL) { | ||
| 139 | - val = (const xmlChar *) | ||
| 140 | - xmlHashLookup2(ctxt->style->stripSpaces, | ||
| 141 | - cur->parent->name, | ||
| 142 | - cur->parent->ns->href); | ||
| 143 | - if (val == NULL) { | ||
| 144 | - val = (const xmlChar *) | ||
| 145 | - xmlHashLookup2(ctxt->style->stripSpaces, | ||
| 146 | - BAD_CAST "*", | ||
| 147 | - cur->parent->ns->href); | ||
| 148 | - } | ||
| 149 | - } else { | ||
| 150 | - val = (const xmlChar *) | ||
| 151 | - xmlHashLookup2(ctxt->style->stripSpaces, | ||
| 152 | - cur->parent->name, NULL); | ||
| 153 | - } | ||
| 154 | - if ((val != NULL) && | ||
| 155 | - (xmlStrEqual(val, (xmlChar *) "strip"))) { | ||
| 156 | - delNode = cur; | ||
| 157 | - break; | ||
| 158 | - } | ||
| 159 | - } | ||
| 160 | - /* Intentional fall-through */ | ||
| 161 | - case XML_ELEMENT_NODE: | ||
| 162 | - case XML_DOCUMENT_NODE: | ||
| 163 | - case XML_HTML_DOCUMENT_NODE: | ||
| 164 | - case XML_CDATA_SECTION_NODE: | ||
| 165 | - case XML_PI_NODE: | ||
| 166 | - case XML_COMMENT_NODE: | ||
| 167 | - xmlXPathNodeSetAddUnique(list, cur); | ||
| 168 | - break; | ||
| 169 | - case XML_DTD_NODE: | ||
| 170 | - /* Unlink the DTD, it's still reachable | ||
| 171 | - * using doc->intSubset */ | ||
| 172 | - if (cur->next != NULL) | ||
| 173 | - cur->next->prev = cur->prev; | ||
| 174 | - if (cur->prev != NULL) | ||
| 175 | - cur->prev->next = cur->next; | ||
| 176 | - break; | ||
| 177 | - case XML_NAMESPACE_DECL: | ||
| 178 | - break; | ||
| 179 | - default: | ||
| 180 | -#ifdef WITH_XSLT_DEBUG_PROCESS | ||
| 181 | - XSLT_TRACE(ctxt,XSLT_TRACE_APPLY_TEMPLATES,xsltGenericDebug(xsltGenericDebugContext, | ||
| 182 | - "xsltApplyTemplates: skipping cur type %d\n", | ||
| 183 | - cur->type)); | ||
| 184 | -#endif | ||
| 185 | - delNode = cur; | ||
| 186 | - } | ||
| 187 | + if (IS_XSLT_REAL_NODE(cur)) | ||
| 188 | + xmlXPathNodeSetAddUnique(list, cur); | ||
| 189 | cur = cur->next; | ||
| 190 | - if (delNode != NULL) { | ||
| 191 | -#ifdef WITH_XSLT_DEBUG_PROCESS | ||
| 192 | - XSLT_TRACE(ctxt,XSLT_TRACE_APPLY_TEMPLATES,xsltGenericDebug(xsltGenericDebugContext, | ||
| 193 | - "xsltApplyTemplates: removing ignorable blank cur\n")); | ||
| 194 | -#endif | ||
| 195 | - xmlUnlinkNode(delNode); | ||
| 196 | - xmlFreeNode(delNode); | ||
| 197 | - delNode = NULL; | ||
| 198 | - } | ||
| 199 | } | ||
| 200 | } | ||
| 201 | |||
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.34.bb b/meta/recipes-support/libxslt/libxslt_1.1.34.bb index 1961bb5b31..4755677bec 100644 --- a/meta/recipes-support/libxslt/libxslt_1.1.34.bb +++ b/meta/recipes-support/libxslt/libxslt_1.1.34.bb | |||
| @@ -1,4 +1,9 @@ | |||
| 1 | SUMMARY = "GNOME XSLT library" | 1 | SUMMARY = "GNOME XSLT library" |
| 2 | DESCRIPTION = "libxslt is the XSLT C parser and toolkit developed for the Gnome project. \ | ||
| 3 | XSLT itself is a an XML language to define transformation for XML. Libxslt is based on \ | ||
| 4 | libxml2 the XML C library developed for the GNOME project. It also implements most of \ | ||
| 5 | the EXSLT set of processor-portable extensions functions and some of Saxon's evaluate \ | ||
| 6 | and expressions extensions." | ||
| 2 | HOMEPAGE = "http://xmlsoft.org/XSLT/" | 7 | HOMEPAGE = "http://xmlsoft.org/XSLT/" |
| 3 | BUGTRACKER = "https://bugzilla.gnome.org/" | 8 | BUGTRACKER = "https://bugzilla.gnome.org/" |
| 4 | 9 | ||
| @@ -9,6 +14,7 @@ SECTION = "libs" | |||
| 9 | DEPENDS = "libxml2" | 14 | DEPENDS = "libxml2" |
| 10 | 15 | ||
| 11 | SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz \ | 16 | SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz \ |
| 17 | file://CVE-2021-30560.patch \ | ||
| 12 | " | 18 | " |
| 13 | 19 | ||
| 14 | SRC_URI[md5sum] = "db8765c8d076f1b6caafd9f2542a304a" | 20 | SRC_URI[md5sum] = "db8765c8d076f1b6caafd9f2542a304a" |
| @@ -16,6 +22,10 @@ SRC_URI[sha256sum] = "98b1bd46d6792925ad2dfe9a87452ea2adebf69dcb9919ffd55bf926a7 | |||
| 16 | 22 | ||
| 17 | UPSTREAM_CHECK_REGEX = "libxslt-(?P<pver>\d+(\.\d+)+)\.tar" | 23 | UPSTREAM_CHECK_REGEX = "libxslt-(?P<pver>\d+(\.\d+)+)\.tar" |
| 18 | 24 | ||
| 25 | # We have libxml2 2.9.10 and we don't link statically with it anyway | ||
| 26 | # so this isn't an issue. | ||
| 27 | CVE_CHECK_WHITELIST += "CVE-2022-29824" | ||
| 28 | |||
| 19 | S = "${WORKDIR}/libxslt-${PV}" | 29 | S = "${WORKDIR}/libxslt-${PV}" |
| 20 | 30 | ||
| 21 | BINCONFIG = "${bindir}/xslt-config" | 31 | BINCONFIG = "${bindir}/xslt-config" |