diff options
author | takeshi_hoshina <takeshi_hoshina@mail.toyota.co.jp> | 2020-11-02 11:07:33 +0900 |
---|---|---|
committer | takeshi_hoshina <takeshi_hoshina@mail.toyota.co.jp> | 2020-11-02 11:07:33 +0900 |
commit | 1c7d6584a7811b7785ae5c1e378f14b5ba0971cf (patch) | |
tree | cd70a267a5ef105ba32f200aa088e281fbd85747 /external/poky/meta/recipes-support/libxslt | |
parent | 4204309872da5cb401cbb2729d9e2d4869a87f42 (diff) |
basesystem-jjsandbox/ToshikazuOhiwa/master-jj
recipes
Diffstat (limited to 'external/poky/meta/recipes-support/libxslt')
-rw-r--r-- | external/poky/meta/recipes-support/libxslt/files/CVE-2019-13117.patch | 33 | ||||
-rw-r--r-- | external/poky/meta/recipes-support/libxslt/files/CVE-2019-13118.patch | 76 | ||||
-rw-r--r-- | external/poky/meta/recipes-support/libxslt/libxslt/CVE-2019-11068.patch | 128 | ||||
-rw-r--r-- | external/poky/meta/recipes-support/libxslt/libxslt/fix-rvts-handling.patch | 80 | ||||
-rw-r--r-- | external/poky/meta/recipes-support/libxslt/libxslt_1.1.34.bb (renamed from external/poky/meta/recipes-support/libxslt/libxslt_1.1.32.bb) | 25 |
5 files changed, 13 insertions, 329 deletions
diff --git a/external/poky/meta/recipes-support/libxslt/files/CVE-2019-13117.patch b/external/poky/meta/recipes-support/libxslt/files/CVE-2019-13117.patch deleted file mode 100644 index ef3f2709..00000000 --- a/external/poky/meta/recipes-support/libxslt/files/CVE-2019-13117.patch +++ /dev/null @@ -1,33 +0,0 @@ -From c5eb6cf3aba0af048596106ed839b4ae17ecbcb1 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer <wellnhofer@aevum.de> -Date: Sat, 27 Apr 2019 11:19:48 +0200 -Subject: [PATCH] Fix uninitialized read of xsl:number token - -Found by OSS-Fuzz. - -CVE: CVE-2019-13117 -Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1] -Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> ---- - libxslt/numbers.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/libxslt/numbers.c b/libxslt/numbers.c -index 89e1f668..75c31eba 100644 ---- a/libxslt/numbers.c -+++ b/libxslt/numbers.c -@@ -382,7 +382,10 @@ xsltNumberFormatTokenize(const xmlChar *format, - tokens->tokens[tokens->nTokens].token = val - 1; - ix += len; - val = xmlStringCurrentChar(NULL, format+ix, &len); -- } -+ } else { -+ tokens->tokens[tokens->nTokens].token = (xmlChar)'0'; -+ tokens->tokens[tokens->nTokens].width = 1; -+ } - } else if ( (val == (xmlChar)'A') || - (val == (xmlChar)'a') || - (val == (xmlChar)'I') || --- -2.21.0 - diff --git a/external/poky/meta/recipes-support/libxslt/files/CVE-2019-13118.patch b/external/poky/meta/recipes-support/libxslt/files/CVE-2019-13118.patch deleted file mode 100644 index 595e6c2f..00000000 --- a/external/poky/meta/recipes-support/libxslt/files/CVE-2019-13118.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 6ce8de69330783977dd14f6569419489875fb71b Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer <wellnhofer@aevum.de> -Date: Mon, 3 Jun 2019 13:14:45 +0200 -Subject: [PATCH] Fix uninitialized read with UTF-8 grouping chars - -The character type in xsltFormatNumberConversion was too narrow and -an invalid character/length combination could be passed to -xsltNumberFormatDecimal, resulting in an uninitialized read. - -Found by OSS-Fuzz. - -CVE: CVE-2019-13118 -Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b] -Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> - ---- - libxslt/numbers.c | 5 +++-- - tests/docs/bug-222.xml | 1 + - tests/general/bug-222.out | 2 ++ - tests/general/bug-222.xsl | 6 ++++++ - 4 files changed, 12 insertions(+), 2 deletions(-) - create mode 100644 tests/docs/bug-222.xml - create mode 100644 tests/general/bug-222.out - create mode 100644 tests/general/bug-222.xsl - -diff --git a/libxslt/numbers.c b/libxslt/numbers.c -index f1ed8846..20b99d5a 100644 ---- a/libxslt/numbers.c -+++ b/libxslt/numbers.c -@@ -1298,13 +1298,14 @@ OUTPUT_NUMBER: - number = floor((scale * number + 0.5)) / scale; - if ((self->grouping != NULL) && - (self->grouping[0] != 0)) { -+ int gchar; - - len = xmlStrlen(self->grouping); -- pchar = xsltGetUTF8Char(self->grouping, &len); -+ gchar = xsltGetUTF8Char(self->grouping, &len); - xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0], - format_info.integer_digits, - format_info.group, -- pchar, len); -+ gchar, len); - } else - xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0], - format_info.integer_digits, -diff --git a/tests/docs/bug-222.xml b/tests/docs/bug-222.xml -new file mode 100644 -index 00000000..69d62f2c ---- /dev/null -+++ b/tests/docs/bug-222.xml -@@ -0,0 +1 @@ -+<doc/> -diff --git a/tests/general/bug-222.out b/tests/general/bug-222.out -new file mode 100644 -index 00000000..e3139698 ---- /dev/null -+++ b/tests/general/bug-222.out -@@ -0,0 +1,2 @@ -+<?xml version="1.0"?> -+1⠢0 -diff --git a/tests/general/bug-222.xsl b/tests/general/bug-222.xsl -new file mode 100644 -index 00000000..e32dc473 ---- /dev/null -+++ b/tests/general/bug-222.xsl -@@ -0,0 +1,6 @@ -+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0"> -+ <xsl:decimal-format name="f" grouping-separator="⠢"/> -+ <xsl:template match="/"> -+ <xsl:value-of select="format-number(10,'#⠢0','f')"/> -+ </xsl:template> -+</xsl:stylesheet> --- -2.21.0 - diff --git a/external/poky/meta/recipes-support/libxslt/libxslt/CVE-2019-11068.patch b/external/poky/meta/recipes-support/libxslt/libxslt/CVE-2019-11068.patch deleted file mode 100644 index 83ca8a3c..00000000 --- a/external/poky/meta/recipes-support/libxslt/libxslt/CVE-2019-11068.patch +++ /dev/null @@ -1,128 +0,0 @@ -From aed812d8dbbb6d1337312652aa72aa7f44d2b07d Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer <wellnhofer@aevum.de> -Date: Sun, 24 Mar 2019 09:51:39 +0100 -Subject: [PATCH] Fix security framework bypass - -xsltCheckRead and xsltCheckWrite return -1 in case of error but callers -don't check for this condition and allow access. With a specially -crafted URL, xsltCheckRead could be tricked into returning an error -because of a supposedly invalid URL that would still be loaded -succesfully later on. - -Fixes #12. - -Thanks to Felix Wilhelm for the report. - -Signed-off-by: Muminul Islam <muminul.islam@microsoft.com> - -CVE: CVE-2019-11068 - -Upstream-Status: Backport - -https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 ---- - libxslt/documents.c | 18 ++++++++++-------- - libxslt/imports.c | 9 +++++---- - libxslt/transform.c | 9 +++++---- - libxslt/xslt.c | 9 +++++---- - 4 files changed, 25 insertions(+), 20 deletions(-) - -diff --git a/libxslt/documents.c b/libxslt/documents.c -index 3f3a7312..4aad11bb 100644 ---- a/libxslt/documents.c -+++ b/libxslt/documents.c -@@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) { - int res; - - res = xsltCheckRead(ctxt->sec, ctxt, URI); -- if (res == 0) { -- xsltTransformError(ctxt, NULL, NULL, -- "xsltLoadDocument: read rights for %s denied\n", -- URI); -+ if (res <= 0) { -+ if (res == 0) -+ xsltTransformError(ctxt, NULL, NULL, -+ "xsltLoadDocument: read rights for %s denied\n", -+ URI); - return(NULL); - } - } -@@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) { - int res; - - res = xsltCheckRead(sec, NULL, URI); -- if (res == 0) { -- xsltTransformError(NULL, NULL, NULL, -- "xsltLoadStyleDocument: read rights for %s denied\n", -- URI); -+ if (res <= 0) { -+ if (res == 0) -+ xsltTransformError(NULL, NULL, NULL, -+ "xsltLoadStyleDocument: read rights for %s denied\n", -+ URI); - return(NULL); - } - } -diff --git a/libxslt/imports.c b/libxslt/imports.c -index 7262aab9..b62e0877 100644 ---- a/libxslt/imports.c -+++ b/libxslt/imports.c -@@ -131,10 +131,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) { - int secres; - - secres = xsltCheckRead(sec, NULL, URI); -- if (secres == 0) { -- xsltTransformError(NULL, NULL, NULL, -- "xsl:import: read rights for %s denied\n", -- URI); -+ if (secres <= 0) { -+ if (secres == 0) -+ xsltTransformError(NULL, NULL, NULL, -+ "xsl:import: read rights for %s denied\n", -+ URI); - goto error; - } - } -diff --git a/libxslt/transform.c b/libxslt/transform.c -index 560f43ca..46eef553 100644 ---- a/libxslt/transform.c -+++ b/libxslt/transform.c -@@ -3485,10 +3485,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node, - */ - if (ctxt->sec != NULL) { - ret = xsltCheckWrite(ctxt->sec, ctxt, filename); -- if (ret == 0) { -- xsltTransformError(ctxt, NULL, inst, -- "xsltDocumentElem: write rights for %s denied\n", -- filename); -+ if (ret <= 0) { -+ if (ret == 0) -+ xsltTransformError(ctxt, NULL, inst, -+ "xsltDocumentElem: write rights for %s denied\n", -+ filename); - xmlFree(URL); - xmlFree(filename); - return; -diff --git a/libxslt/xslt.c b/libxslt/xslt.c -index 54a39de9..359913e4 100644 ---- a/libxslt/xslt.c -+++ b/libxslt/xslt.c -@@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) { - int res; - - res = xsltCheckRead(sec, NULL, filename); -- if (res == 0) { -- xsltTransformError(NULL, NULL, NULL, -- "xsltParseStylesheetFile: read rights for %s denied\n", -- filename); -+ if (res <= 0) { -+ if (res == 0) -+ xsltTransformError(NULL, NULL, NULL, -+ "xsltParseStylesheetFile: read rights for %s denied\n", -+ filename); - return(NULL); - } - } --- -2.23.0 - diff --git a/external/poky/meta/recipes-support/libxslt/libxslt/fix-rvts-handling.patch b/external/poky/meta/recipes-support/libxslt/libxslt/fix-rvts-handling.patch deleted file mode 100644 index ea3ae51e..00000000 --- a/external/poky/meta/recipes-support/libxslt/libxslt/fix-rvts-handling.patch +++ /dev/null @@ -1,80 +0,0 @@ -libxslt-1.1.32: Fix handling of RVTs returned from nested EXSLT functions - -[No upstream tracking] -- https://bugzilla.gnome.org/show_bug.cgi?id=792580 - -Set the context variable to NULL when evaluating EXSLT functions. -Fixes potential use-after-free errors or memory leaks. - -Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt/commit/8bd32f7753ac253a54279a0b6a88d15a57076bb0] -bug: 792580 -Signed-off-by: Andrej Valek <andrej.valek@siemens.com> - -diff --git a/libexslt/functions.c b/libexslt/functions.c -index dc794e3..8511cb0 100644 ---- a/libexslt/functions.c -+++ b/libexslt/functions.c -@@ -280,6 +280,7 @@ exsltFuncFunctionFunction (xmlXPathParserContextPtr ctxt, int nargs) { - exsltFuncFunctionData *func; - xmlNodePtr paramNode, oldInsert, fake; - int oldBase; -+ void *oldCtxtVar; - xsltStackElemPtr params = NULL, param; - xsltTransformContextPtr tctxt = xsltXPathGetTransformContext(ctxt); - int i, notSet; -@@ -418,11 +419,14 @@ exsltFuncFunctionFunction (xmlXPathParserContextPtr ctxt, int nargs) { - fake = xmlNewDocNode(tctxt->output, NULL, - (const xmlChar *)"fake", NULL); - oldInsert = tctxt->insert; -+ oldCtxtVar = tctxt->contextVariable; - tctxt->insert = fake; -+ tctxt->contextVariable = NULL; - xsltApplyOneTemplate (tctxt, tctxt->node, - func->content, NULL, NULL); - xsltLocalVariablePop(tctxt, tctxt->varsBase, -2); - tctxt->insert = oldInsert; -+ tctxt->contextVariable = oldCtxtVar; - tctxt->varsBase = oldBase; /* restore original scope */ - if (params != NULL) - xsltFreeStackElemList(params); -diff --git a/tests/docs/bug-209.xml b/tests/docs/bug-209.xml -new file mode 100644 -index 0000000..69d62f2 ---- /dev/null -+++ b/tests/docs/bug-209.xml -@@ -0,0 +1 @@ -+<doc/> -diff --git a/tests/general/bug-209.out b/tests/general/bug-209.out -new file mode 100644 -index 0000000..e829790 ---- /dev/null -+++ b/tests/general/bug-209.out -@@ -0,0 +1,2 @@ -+<?xml version="1.0"?> -+<result/> -diff --git a/tests/general/bug-209.xsl b/tests/general/bug-209.xsl -new file mode 100644 -index 0000000..fe69ac6 ---- /dev/null -+++ b/tests/general/bug-209.xsl -@@ -0,0 +1,21 @@ -+<xsl:stylesheet -+ version="1.0" -+ xmlns:xsl="http://www.w3.org/1999/XSL/Transform" -+ xmlns:func="http://exslt.org/functions" -+ extension-element-prefixes="func"> -+ -+ <xsl:template match="/"> -+ <xsl:variable name="v" select="func:a()" /> -+ <xsl:copy-of select="$v"/> -+ </xsl:template> -+ -+ <func:function name="func:a"> -+ <func:result select="func:b()" /> -+ </func:function> -+ -+ <func:function name="func:b"> -+ <func:result> -+ <result/> -+ </func:result> -+ </func:function> -+</xsl:stylesheet> diff --git a/external/poky/meta/recipes-support/libxslt/libxslt_1.1.32.bb b/external/poky/meta/recipes-support/libxslt/libxslt_1.1.34.bb index e2a515f8..1961bb5b 100644 --- a/external/poky/meta/recipes-support/libxslt/libxslt_1.1.32.bb +++ b/external/poky/meta/recipes-support/libxslt/libxslt_1.1.34.bb @@ -9,14 +9,10 @@ SECTION = "libs" DEPENDS = "libxml2" SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz \ - file://fix-rvts-handling.patch \ - file://CVE-2019-11068.patch \ - file://CVE-2019-13117.patch \ - file://CVE-2019-13118.patch \ -" + " -SRC_URI[md5sum] = "1fc72f98e98bf4443f1651165f3aa146" -SRC_URI[sha256sum] = "526ecd0abaf4a7789041622c3950c0e7f2c4c8835471515fd77eec684a355460" +SRC_URI[md5sum] = "db8765c8d076f1b6caafd9f2542a304a" +SRC_URI[sha256sum] = "98b1bd46d6792925ad2dfe9a87452ea2adebf69dcb9919ffd55bf926a7f93f7f" UPSTREAM_CHECK_REGEX = "libxslt-(?P<pver>\d+(\.\d+)+)\.tar" @@ -24,10 +20,11 @@ S = "${WORKDIR}/libxslt-${PV}" BINCONFIG = "${bindir}/xslt-config" -inherit autotools pkgconfig binconfig-disabled lib_package +inherit autotools pkgconfig binconfig-disabled lib_package multilib_header -# We don't DEPEND on binutils for ansidecl.h so ensure we don't use the header do_configure_prepend () { + # We don't DEPEND on binutils for ansidecl.h so ensure we don't use the header. + # This can be removed when upgrading to 1.1.34. sed -i -e 's/ansidecl.h//' ${S}/configure.ac # The timestamps in the 1.1.28 tarball are messed up causing this file to @@ -35,15 +32,19 @@ do_configure_prepend () { touch ${S}/doc/xsltproc.1 } -EXTRA_OECONF = "--without-python --without-debug --without-mem-debug --without-crypto" +EXTRA_OECONF = "--without-python --without-debug --without-mem-debug --without-crypto --with-html-subdir=${BPN}" # older versions of this recipe had ${PN}-utils RPROVIDES_${PN}-bin += "${PN}-utils" RCONFLICTS_${PN}-bin += "${PN}-utils" RREPLACES_${PN}-bin += "${PN}-utils" - +# This is only needed until libxml can load the relocated catalog itself do_install_append_class-native () { - create_wrapper ${D}/${bindir}/xsltproc XML_CATALOG_FILES=${sysconfdir}/xml/catalog.xml + create_wrapper ${D}/${bindir}/xsltproc XML_CATALOG_FILES=${sysconfdir}/xml/catalog +} + +do_install_append () { + oe_multilib_header libxslt/xsltconfig.h } FILES_${PN} += "${libdir}/libxslt-plugins" |