diff options
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-support/libxslt/libxslt/CVE-2019-11068.patch | 128 | ||||
-rw-r--r-- | meta/recipes-support/libxslt/libxslt_1.1.32.bb | 1 |
2 files changed, 129 insertions, 0 deletions
diff --git a/meta/recipes-support/libxslt/libxslt/CVE-2019-11068.patch b/meta/recipes-support/libxslt/libxslt/CVE-2019-11068.patch new file mode 100644 index 0000000000..83ca8a3c00 --- /dev/null +++ b/meta/recipes-support/libxslt/libxslt/CVE-2019-11068.patch | |||
@@ -0,0 +1,128 @@ | |||
1 | From aed812d8dbbb6d1337312652aa72aa7f44d2b07d Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Wellnhofer <wellnhofer@aevum.de> | ||
3 | Date: Sun, 24 Mar 2019 09:51:39 +0100 | ||
4 | Subject: [PATCH] Fix security framework bypass | ||
5 | |||
6 | xsltCheckRead and xsltCheckWrite return -1 in case of error but callers | ||
7 | don't check for this condition and allow access. With a specially | ||
8 | crafted URL, xsltCheckRead could be tricked into returning an error | ||
9 | because of a supposedly invalid URL that would still be loaded | ||
10 | succesfully later on. | ||
11 | |||
12 | Fixes #12. | ||
13 | |||
14 | Thanks to Felix Wilhelm for the report. | ||
15 | |||
16 | Signed-off-by: Muminul Islam <muminul.islam@microsoft.com> | ||
17 | |||
18 | CVE: CVE-2019-11068 | ||
19 | |||
20 | Upstream-Status: Backport | ||
21 | |||
22 | https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 | ||
23 | --- | ||
24 | libxslt/documents.c | 18 ++++++++++-------- | ||
25 | libxslt/imports.c | 9 +++++---- | ||
26 | libxslt/transform.c | 9 +++++---- | ||
27 | libxslt/xslt.c | 9 +++++---- | ||
28 | 4 files changed, 25 insertions(+), 20 deletions(-) | ||
29 | |||
30 | diff --git a/libxslt/documents.c b/libxslt/documents.c | ||
31 | index 3f3a7312..4aad11bb 100644 | ||
32 | --- a/libxslt/documents.c | ||
33 | +++ b/libxslt/documents.c | ||
34 | @@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) { | ||
35 | int res; | ||
36 | |||
37 | res = xsltCheckRead(ctxt->sec, ctxt, URI); | ||
38 | - if (res == 0) { | ||
39 | - xsltTransformError(ctxt, NULL, NULL, | ||
40 | - "xsltLoadDocument: read rights for %s denied\n", | ||
41 | - URI); | ||
42 | + if (res <= 0) { | ||
43 | + if (res == 0) | ||
44 | + xsltTransformError(ctxt, NULL, NULL, | ||
45 | + "xsltLoadDocument: read rights for %s denied\n", | ||
46 | + URI); | ||
47 | return(NULL); | ||
48 | } | ||
49 | } | ||
50 | @@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) { | ||
51 | int res; | ||
52 | |||
53 | res = xsltCheckRead(sec, NULL, URI); | ||
54 | - if (res == 0) { | ||
55 | - xsltTransformError(NULL, NULL, NULL, | ||
56 | - "xsltLoadStyleDocument: read rights for %s denied\n", | ||
57 | - URI); | ||
58 | + if (res <= 0) { | ||
59 | + if (res == 0) | ||
60 | + xsltTransformError(NULL, NULL, NULL, | ||
61 | + "xsltLoadStyleDocument: read rights for %s denied\n", | ||
62 | + URI); | ||
63 | return(NULL); | ||
64 | } | ||
65 | } | ||
66 | diff --git a/libxslt/imports.c b/libxslt/imports.c | ||
67 | index 7262aab9..b62e0877 100644 | ||
68 | --- a/libxslt/imports.c | ||
69 | +++ b/libxslt/imports.c | ||
70 | @@ -131,10 +131,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) { | ||
71 | int secres; | ||
72 | |||
73 | secres = xsltCheckRead(sec, NULL, URI); | ||
74 | - if (secres == 0) { | ||
75 | - xsltTransformError(NULL, NULL, NULL, | ||
76 | - "xsl:import: read rights for %s denied\n", | ||
77 | - URI); | ||
78 | + if (secres <= 0) { | ||
79 | + if (secres == 0) | ||
80 | + xsltTransformError(NULL, NULL, NULL, | ||
81 | + "xsl:import: read rights for %s denied\n", | ||
82 | + URI); | ||
83 | goto error; | ||
84 | } | ||
85 | } | ||
86 | diff --git a/libxslt/transform.c b/libxslt/transform.c | ||
87 | index 560f43ca..46eef553 100644 | ||
88 | --- a/libxslt/transform.c | ||
89 | +++ b/libxslt/transform.c | ||
90 | @@ -3485,10 +3485,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node, | ||
91 | */ | ||
92 | if (ctxt->sec != NULL) { | ||
93 | ret = xsltCheckWrite(ctxt->sec, ctxt, filename); | ||
94 | - if (ret == 0) { | ||
95 | - xsltTransformError(ctxt, NULL, inst, | ||
96 | - "xsltDocumentElem: write rights for %s denied\n", | ||
97 | - filename); | ||
98 | + if (ret <= 0) { | ||
99 | + if (ret == 0) | ||
100 | + xsltTransformError(ctxt, NULL, inst, | ||
101 | + "xsltDocumentElem: write rights for %s denied\n", | ||
102 | + filename); | ||
103 | xmlFree(URL); | ||
104 | xmlFree(filename); | ||
105 | return; | ||
106 | diff --git a/libxslt/xslt.c b/libxslt/xslt.c | ||
107 | index 54a39de9..359913e4 100644 | ||
108 | --- a/libxslt/xslt.c | ||
109 | +++ b/libxslt/xslt.c | ||
110 | @@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) { | ||
111 | int res; | ||
112 | |||
113 | res = xsltCheckRead(sec, NULL, filename); | ||
114 | - if (res == 0) { | ||
115 | - xsltTransformError(NULL, NULL, NULL, | ||
116 | - "xsltParseStylesheetFile: read rights for %s denied\n", | ||
117 | - filename); | ||
118 | + if (res <= 0) { | ||
119 | + if (res == 0) | ||
120 | + xsltTransformError(NULL, NULL, NULL, | ||
121 | + "xsltParseStylesheetFile: read rights for %s denied\n", | ||
122 | + filename); | ||
123 | return(NULL); | ||
124 | } | ||
125 | } | ||
126 | -- | ||
127 | 2.23.0 | ||
128 | |||
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.32.bb b/meta/recipes-support/libxslt/libxslt_1.1.32.bb index f0fa5e723f..df3f97aa12 100644 --- a/meta/recipes-support/libxslt/libxslt_1.1.32.bb +++ b/meta/recipes-support/libxslt/libxslt_1.1.32.bb | |||
@@ -10,6 +10,7 @@ DEPENDS = "libxml2" | |||
10 | 10 | ||
11 | SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz \ | 11 | SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz \ |
12 | file://fix-rvts-handling.patch \ | 12 | file://fix-rvts-handling.patch \ |
13 | file://CVE-2019-11068.patch \ | ||
13 | " | 14 | " |
14 | 15 | ||
15 | SRC_URI[md5sum] = "1fc72f98e98bf4443f1651165f3aa146" | 16 | SRC_URI[md5sum] = "1fc72f98e98bf4443f1651165f3aa146" |