diff options
Diffstat (limited to 'external/poky/meta/recipes-support/libxslt')
4 files changed, 241 insertions, 1 deletions
diff --git a/external/poky/meta/recipes-support/libxslt/files/CVE-2019-13117.patch b/external/poky/meta/recipes-support/libxslt/files/CVE-2019-13117.patch new file mode 100644 index 00000000..ef3f2709 --- /dev/null +++ b/external/poky/meta/recipes-support/libxslt/files/CVE-2019-13117.patch @@ -0,0 +1,33 @@ +From c5eb6cf3aba0af048596106ed839b4ae17ecbcb1 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Sat, 27 Apr 2019 11:19:48 +0200 +Subject: [PATCH] Fix uninitialized read of xsl:number token + +Found by OSS-Fuzz. + +CVE: CVE-2019-13117 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1] +Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> +--- + libxslt/numbers.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/libxslt/numbers.c b/libxslt/numbers.c +index 89e1f668..75c31eba 100644 +--- a/libxslt/numbers.c ++++ b/libxslt/numbers.c +@@ -382,7 +382,10 @@ xsltNumberFormatTokenize(const xmlChar *format, + tokens->tokens[tokens->nTokens].token = val - 1; + ix += len; + val = xmlStringCurrentChar(NULL, format+ix, &len); +- } ++ } else { ++ tokens->tokens[tokens->nTokens].token = (xmlChar)'0'; ++ tokens->tokens[tokens->nTokens].width = 1; ++ } + } else if ( (val == (xmlChar)'A') || + (val == (xmlChar)'a') || + (val == (xmlChar)'I') || +-- +2.21.0 + diff --git a/external/poky/meta/recipes-support/libxslt/files/CVE-2019-13118.patch b/external/poky/meta/recipes-support/libxslt/files/CVE-2019-13118.patch new file mode 100644 index 00000000..595e6c2f --- /dev/null +++ b/external/poky/meta/recipes-support/libxslt/files/CVE-2019-13118.patch @@ -0,0 +1,76 @@ +From 6ce8de69330783977dd14f6569419489875fb71b Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Mon, 3 Jun 2019 13:14:45 +0200 +Subject: [PATCH] Fix uninitialized read with UTF-8 grouping chars + +The character type in xsltFormatNumberConversion was too narrow and +an invalid character/length combination could be passed to +xsltNumberFormatDecimal, resulting in an uninitialized read. + +Found by OSS-Fuzz. + +CVE: CVE-2019-13118 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b] +Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> + +--- + libxslt/numbers.c | 5 +++-- + tests/docs/bug-222.xml | 1 + + tests/general/bug-222.out | 2 ++ + tests/general/bug-222.xsl | 6 ++++++ + 4 files changed, 12 insertions(+), 2 deletions(-) + create mode 100644 tests/docs/bug-222.xml + create mode 100644 tests/general/bug-222.out + create mode 100644 tests/general/bug-222.xsl + +diff --git a/libxslt/numbers.c b/libxslt/numbers.c +index f1ed8846..20b99d5a 100644 +--- a/libxslt/numbers.c ++++ b/libxslt/numbers.c +@@ -1298,13 +1298,14 @@ OUTPUT_NUMBER: + number = floor((scale * number + 0.5)) / scale; + if ((self->grouping != NULL) && + (self->grouping[0] != 0)) { ++ int gchar; + + len = xmlStrlen(self->grouping); +- pchar = xsltGetUTF8Char(self->grouping, &len); ++ gchar = xsltGetUTF8Char(self->grouping, &len); + xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0], + format_info.integer_digits, + format_info.group, +- pchar, len); ++ gchar, len); + } else + xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0], + format_info.integer_digits, +diff --git a/tests/docs/bug-222.xml b/tests/docs/bug-222.xml +new file mode 100644 +index 00000000..69d62f2c +--- /dev/null ++++ b/tests/docs/bug-222.xml +@@ -0,0 +1 @@ ++<doc/> +diff --git a/tests/general/bug-222.out b/tests/general/bug-222.out +new file mode 100644 +index 00000000..e3139698 +--- /dev/null ++++ b/tests/general/bug-222.out +@@ -0,0 +1,2 @@ ++<?xml version="1.0"?> ++1⠢0 +diff --git a/tests/general/bug-222.xsl b/tests/general/bug-222.xsl +new file mode 100644 +index 00000000..e32dc473 +--- /dev/null ++++ b/tests/general/bug-222.xsl +@@ -0,0 +1,6 @@ ++<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0"> ++ <xsl:decimal-format name="f" grouping-separator="⠢"/> ++ <xsl:template match="/"> ++ <xsl:value-of select="format-number(10,'#⠢0','f')"/> ++ </xsl:template> ++</xsl:stylesheet> +-- +2.21.0 + diff --git a/external/poky/meta/recipes-support/libxslt/libxslt/CVE-2019-11068.patch b/external/poky/meta/recipes-support/libxslt/libxslt/CVE-2019-11068.patch new file mode 100644 index 00000000..83ca8a3c --- /dev/null +++ b/external/poky/meta/recipes-support/libxslt/libxslt/CVE-2019-11068.patch @@ -0,0 +1,128 @@ +From aed812d8dbbb6d1337312652aa72aa7f44d2b07d Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Sun, 24 Mar 2019 09:51:39 +0100 +Subject: [PATCH] Fix security framework bypass + +xsltCheckRead and xsltCheckWrite return -1 in case of error but callers +don't check for this condition and allow access. With a specially +crafted URL, xsltCheckRead could be tricked into returning an error +because of a supposedly invalid URL that would still be loaded +succesfully later on. + +Fixes #12. + +Thanks to Felix Wilhelm for the report. + +Signed-off-by: Muminul Islam <muminul.islam@microsoft.com> + +CVE: CVE-2019-11068 + +Upstream-Status: Backport + +https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 +--- + libxslt/documents.c | 18 ++++++++++-------- + libxslt/imports.c | 9 +++++---- + libxslt/transform.c | 9 +++++---- + libxslt/xslt.c | 9 +++++---- + 4 files changed, 25 insertions(+), 20 deletions(-) + +diff --git a/libxslt/documents.c b/libxslt/documents.c +index 3f3a7312..4aad11bb 100644 +--- a/libxslt/documents.c ++++ b/libxslt/documents.c +@@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) { + int res; + + res = xsltCheckRead(ctxt->sec, ctxt, URI); +- if (res == 0) { +- xsltTransformError(ctxt, NULL, NULL, +- "xsltLoadDocument: read rights for %s denied\n", +- URI); ++ if (res <= 0) { ++ if (res == 0) ++ xsltTransformError(ctxt, NULL, NULL, ++ "xsltLoadDocument: read rights for %s denied\n", ++ URI); + return(NULL); + } + } +@@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) { + int res; + + res = xsltCheckRead(sec, NULL, URI); +- if (res == 0) { +- xsltTransformError(NULL, NULL, NULL, +- "xsltLoadStyleDocument: read rights for %s denied\n", +- URI); ++ if (res <= 0) { ++ if (res == 0) ++ xsltTransformError(NULL, NULL, NULL, ++ "xsltLoadStyleDocument: read rights for %s denied\n", ++ URI); + return(NULL); + } + } +diff --git a/libxslt/imports.c b/libxslt/imports.c +index 7262aab9..b62e0877 100644 +--- a/libxslt/imports.c ++++ b/libxslt/imports.c +@@ -131,10 +131,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) { + int secres; + + secres = xsltCheckRead(sec, NULL, URI); +- if (secres == 0) { +- xsltTransformError(NULL, NULL, NULL, +- "xsl:import: read rights for %s denied\n", +- URI); ++ if (secres <= 0) { ++ if (secres == 0) ++ xsltTransformError(NULL, NULL, NULL, ++ "xsl:import: read rights for %s denied\n", ++ URI); + goto error; + } + } +diff --git a/libxslt/transform.c b/libxslt/transform.c +index 560f43ca..46eef553 100644 +--- a/libxslt/transform.c ++++ b/libxslt/transform.c +@@ -3485,10 +3485,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node, + */ + if (ctxt->sec != NULL) { + ret = xsltCheckWrite(ctxt->sec, ctxt, filename); +- if (ret == 0) { +- xsltTransformError(ctxt, NULL, inst, +- "xsltDocumentElem: write rights for %s denied\n", +- filename); ++ if (ret <= 0) { ++ if (ret == 0) ++ xsltTransformError(ctxt, NULL, inst, ++ "xsltDocumentElem: write rights for %s denied\n", ++ filename); + xmlFree(URL); + xmlFree(filename); + return; +diff --git a/libxslt/xslt.c b/libxslt/xslt.c +index 54a39de9..359913e4 100644 +--- a/libxslt/xslt.c ++++ b/libxslt/xslt.c +@@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) { + int res; + + res = xsltCheckRead(sec, NULL, filename); +- if (res == 0) { +- xsltTransformError(NULL, NULL, NULL, +- "xsltParseStylesheetFile: read rights for %s denied\n", +- filename); ++ if (res <= 0) { ++ if (res == 0) ++ xsltTransformError(NULL, NULL, NULL, ++ "xsltParseStylesheetFile: read rights for %s denied\n", ++ filename); + return(NULL); + } + } +-- +2.23.0 + diff --git a/external/poky/meta/recipes-support/libxslt/libxslt_1.1.32.bb b/external/poky/meta/recipes-support/libxslt/libxslt_1.1.32.bb index f0fa5e72..e2a515f8 100644 --- a/external/poky/meta/recipes-support/libxslt/libxslt_1.1.32.bb +++ b/external/poky/meta/recipes-support/libxslt/libxslt_1.1.32.bb @@ -10,7 +10,10 @@ DEPENDS = "libxml2" SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz \ file://fix-rvts-handling.patch \ - " + file://CVE-2019-11068.patch \ + file://CVE-2019-13117.patch \ + file://CVE-2019-13118.patch \ +" SRC_URI[md5sum] = "1fc72f98e98bf4443f1651165f3aa146" SRC_URI[sha256sum] = "526ecd0abaf4a7789041622c3950c0e7f2c4c8835471515fd77eec684a355460" |