libxslt: fix CVE-2019-18197

Use patch from upstream after 1.1.33 release. (From OE-Core rev: 1263db2759b88e423bb717cc0cfc256c7962871b) Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Joe Slater <joe.slater@windriver.com> 2019-10-22 18:59:51 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-10-31 16:09:35 +0000
commit: 3a1ad58f74a9c6ad5bccc5832de9dd3e03be2d36 (patch)
tree: 1bc92ab9eda0d239c4aea5d7f3108cb08dc2d120 /meta/recipes-support/libxslt
parent: 6df6e5d3baf26184c138c2341e1e5c8b19f16b95 (diff)
download: poky-3a1ad58f74a9c6ad5bccc5832de9dd3e03be2d36.tar.gz
2 files changed, 34 insertions, 0 deletions
diff --git a/meta/recipes-support/libxslt/files/CVE-2019-18197.patch b/meta/recipes-support/libxslt/files/CVE-2019-18197.patch
new file mode 100644
index 0000000000..5f2b620396
--- /dev/null
+++ b/meta/recipes-support/libxslt/files/CVE-2019-18197.patch
@@ -0,0 +1,33 @@
+libxslt: fix CVE-2019-18197
+Added after 1.1.33 release.
+CVE: CVE-2019-18197
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt.git]
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+commit 2232473733b7313d67de8836ea3b29eec6e8e285
+Author: Nick Wellnhofer <wellnhofer@aevum.de>
+Date:   Sat Aug 17 16:51:53 2019 +0200
+    Fix dangling pointer in xsltCopyText
+    
+    xsltCopyText didn't reset ctxt->lasttext in some cases which could
+    lead to various memory errors in relation with CDATA sections in input
+    documents.
+    
+    Found by OSS-Fuzz.
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index 95ebd07..d7ab0b6 100644
+--- a/libxslt/transform.c
+++ b/libxslt/transform.c
+@@ -1094,6 +1094,8 @@ xsltCopyText(xsltTransformContextPtr ctxt, xmlNodePtr target,
+            if ((copy->content = xmlStrdup(cur->content)) == NULL)
+                return NULL;
+        }
+
+       ctxt->lasttext = NULL;
+     } else {
+         /*
+         * normal processing. keep counters to extend the text node
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.33.bb b/meta/recipes-support/libxslt/libxslt_1.1.33.bb
index abc00a09ea..9f268e7bb0 100644
--- a/meta/recipes-support/libxslt/libxslt_1.1.33.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.33.bb
@@ -12,6 +12,7 @@ SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz \
           file://0001-Fix-security-framework-bypass.patch \
           file://CVE-2019-13117.patch \
           file://CVE-2019-13118.patch \
+           file://CVE-2019-18197.patch \
 "
 SRC_URI[md5sum] = "b3bd254a03e46d58f8ad1e4559cd2c2f"
author	Joe Slater <joe.slater@windriver.com>	2019-10-22 18:59:51 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-10-31 16:09:35 +0000
commit	3a1ad58f74a9c6ad5bccc5832de9dd3e03be2d36 (patch)
tree	1bc92ab9eda0d239c4aea5d7f3108cb08dc2d120 /meta/recipes-support/libxslt
parent	6df6e5d3baf26184c138c2341e1e5c8b19f16b95 (diff)
download	poky-3a1ad58f74a9c6ad5bccc5832de9dd3e03be2d36.tar.gz

diff --git a/meta/recipes-support/libxslt/files/CVE-2019-18197.patch b/meta/recipes-support/libxslt/files/CVE-2019-18197.patch new file mode 100644 index 0000000000..5f2b620396 --- /dev/null +++ b/meta/recipes-support/libxslt/files/CVE-2019-18197.patch
@@ -0,0 +1,33 @@
		1	libxslt: fix CVE-2019-18197
		2
		3	Added after 1.1.33 release.
		4
		5	CVE: CVE-2019-18197
		6	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt.git]
		7	Signed-off-by: Joe Slater <joe.slater@windriver.com>
		8
		9	commit 2232473733b7313d67de8836ea3b29eec6e8e285
		10	Author: Nick Wellnhofer <wellnhofer@aevum.de>
		11	Date: Sat Aug 17 16:51:53 2019 +0200
		12
		13	Fix dangling pointer in xsltCopyText
		14
		15	xsltCopyText didn't reset ctxt->lasttext in some cases which could
		16	lead to various memory errors in relation with CDATA sections in input
		17	documents.
		18
		19	Found by OSS-Fuzz.
		20
		21	diff --git a/libxslt/transform.c b/libxslt/transform.c
		22	index 95ebd07..d7ab0b6 100644
		23	--- a/libxslt/transform.c
		24	+++ b/libxslt/transform.c
		25	@@ -1094,6 +1094,8 @@ xsltCopyText(xsltTransformContextPtr ctxt, xmlNodePtr target,
		26	if ((copy->content = xmlStrdup(cur->content)) == NULL)
		27	return NULL;
		28	}
		29	+
		30	+ ctxt->lasttext = NULL;
		31	} else {
		32	/*
		33	* normal processing. keep counters to extend the text node


diff --git a/meta/recipes-support/libxslt/libxslt_1.1.33.bb b/meta/recipes-support/libxslt/libxslt_1.1.33.bb index abc00a09ea..9f268e7bb0 100644 --- a/meta/recipes-support/libxslt/libxslt_1.1.33.bb +++ b/meta/recipes-support/libxslt/libxslt_1.1.33.bb
@@ -12,6 +12,7 @@ SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz \
12	file://0001-Fix-security-framework-bypass.patch \	12	file://0001-Fix-security-framework-bypass.patch \
13	file://CVE-2019-13117.patch \	13	file://CVE-2019-13117.patch \
14	file://CVE-2019-13118.patch \	14	file://CVE-2019-13118.patch \
		15	file://CVE-2019-18197.patch \
15	"	16	"
16		17
17	SRC_URI[md5sum] = "b3bd254a03e46d58f8ad1e4559cd2c2f"	18	SRC_URI[md5sum] = "b3bd254a03e46d58f8ad1e4559cd2c2f"