Control: tags 926895 + patch Control: tags 926895 + pending Control: tags 931320 + patch Control: tags 931320 + pending Control: tags 931321 + patch Control: tags 931321 + pending Control: tags 933743 + patch Control: tags 933743 + pending
Dear maintainer, I've prepared an NMU for libxslt (versioned as 1.1.32-2.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Regards, Salvatore
diff -Nru libxslt-1.1.32/debian/changelog libxslt-1.1.32/debian/changelog --- libxslt-1.1.32/debian/changelog 2018-05-26 23:12:37.000000000 +0200 +++ libxslt-1.1.32/debian/changelog 2019-08-04 08:14:05.000000000 +0200 @@ -1,3 +1,14 @@ +libxslt (1.1.32-2.1) unstable; urgency=medium + + * Non-maintainer upload. + * Fix security framework bypass (CVE-2019-11068) (Closes: #926895, #933743) + * Fix uninitialized read of xsl:number token (CVE-2019-13117) + (Closes: #931321, #933743) + * Fix uninitialized read with UTF-8 grouping chars (CVE-2019-13118) + (Closes: #931320, #933743) + + -- Salvatore Bonaccorso <car...@debian.org> Sun, 04 Aug 2019 08:14:05 +0200 + libxslt (1.1.32-2) unstable; urgency=medium * Team upload. diff -Nru libxslt-1.1.32/debian/patches/0006-Fix-security-framework-bypass.patch libxslt-1.1.32/debian/patches/0006-Fix-security-framework-bypass.patch --- libxslt-1.1.32/debian/patches/0006-Fix-security-framework-bypass.patch 1970-01-01 01:00:00.000000000 +0100 +++ libxslt-1.1.32/debian/patches/0006-Fix-security-framework-bypass.patch 2019-08-04 08:14:05.000000000 +0200 @@ -0,0 +1,124 @@ +From: Nick Wellnhofer <wellnho...@aevum.de> +Date: Sun, 24 Mar 2019 09:51:39 +0100 +Subject: Fix security framework bypass +Origin: https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-11068 +Bug: https://gitlab.gnome.org/GNOME/libxslt/issues/12 +Bug-Debian: https://bugs.debian.org/926895 +Bug-Debian: https://bugs.debian.org/933743 + +xsltCheckRead and xsltCheckWrite return -1 in case of error but callers +don't check for this condition and allow access. With a specially +crafted URL, xsltCheckRead could be tricked into returning an error +because of a supposedly invalid URL that would still be loaded +succesfully later on. + +Fixes #12. + +Thanks to Felix Wilhelm for the report. +--- + libxslt/documents.c | 18 ++++++++++-------- + libxslt/imports.c | 9 +++++---- + libxslt/transform.c | 9 +++++---- + libxslt/xslt.c | 9 +++++---- + 4 files changed, 25 insertions(+), 20 deletions(-) + +diff --git a/libxslt/documents.c b/libxslt/documents.c +index 3f3a7312ca8e..4aad11bbd1a9 100644 +--- a/libxslt/documents.c ++++ b/libxslt/documents.c +@@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) { + int res; + + res = xsltCheckRead(ctxt->sec, ctxt, URI); +- if (res == 0) { +- xsltTransformError(ctxt, NULL, NULL, +- "xsltLoadDocument: read rights for %s denied\n", +- URI); ++ if (res <= 0) { ++ if (res == 0) ++ xsltTransformError(ctxt, NULL, NULL, ++ "xsltLoadDocument: read rights for %s denied\n", ++ URI); + return(NULL); + } + } +@@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) { + int res; + + res = xsltCheckRead(sec, NULL, URI); +- if (res == 0) { +- xsltTransformError(NULL, NULL, NULL, +- "xsltLoadStyleDocument: read rights for %s denied\n", +- URI); ++ if (res <= 0) { ++ if (res == 0) ++ xsltTransformError(NULL, NULL, NULL, ++ "xsltLoadStyleDocument: read rights for %s denied\n", ++ URI); + return(NULL); + } + } +diff --git a/libxslt/imports.c b/libxslt/imports.c +index 874870cca90e..3783b2476d9e 100644 +--- a/libxslt/imports.c ++++ b/libxslt/imports.c +@@ -130,10 +130,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) { + int secres; + + secres = xsltCheckRead(sec, NULL, URI); +- if (secres == 0) { +- xsltTransformError(NULL, NULL, NULL, +- "xsl:import: read rights for %s denied\n", +- URI); ++ if (secres <= 0) { ++ if (secres == 0) ++ xsltTransformError(NULL, NULL, NULL, ++ "xsl:import: read rights for %s denied\n", ++ URI); + goto error; + } + } +diff --git a/libxslt/transform.c b/libxslt/transform.c +index 13793914f5d3..0636dbd0a242 100644 +--- a/libxslt/transform.c ++++ b/libxslt/transform.c +@@ -3493,10 +3493,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node, + */ + if (ctxt->sec != NULL) { + ret = xsltCheckWrite(ctxt->sec, ctxt, filename); +- if (ret == 0) { +- xsltTransformError(ctxt, NULL, inst, +- "xsltDocumentElem: write rights for %s denied\n", +- filename); ++ if (ret <= 0) { ++ if (ret == 0) ++ xsltTransformError(ctxt, NULL, inst, ++ "xsltDocumentElem: write rights for %s denied\n", ++ filename); + xmlFree(URL); + xmlFree(filename); + return; +diff --git a/libxslt/xslt.c b/libxslt/xslt.c +index 780a5ad75ea9..a234eb79bb53 100644 +--- a/libxslt/xslt.c ++++ b/libxslt/xslt.c +@@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) { + int res; + + res = xsltCheckRead(sec, NULL, filename); +- if (res == 0) { +- xsltTransformError(NULL, NULL, NULL, +- "xsltParseStylesheetFile: read rights for %s denied\n", +- filename); ++ if (res <= 0) { ++ if (res == 0) ++ xsltTransformError(NULL, NULL, NULL, ++ "xsltParseStylesheetFile: read rights for %s denied\n", ++ filename); + return(NULL); + } + } +-- +2.20.1 + diff -Nru libxslt-1.1.32/debian/patches/0007-Fix-uninitialized-read-of-xsl-number-token.patch libxslt-1.1.32/debian/patches/0007-Fix-uninitialized-read-of-xsl-number-token.patch --- libxslt-1.1.32/debian/patches/0007-Fix-uninitialized-read-of-xsl-number-token.patch 1970-01-01 01:00:00.000000000 +0100 +++ libxslt-1.1.32/debian/patches/0007-Fix-uninitialized-read-of-xsl-number-token.patch 2019-08-04 08:14:05.000000000 +0200 @@ -0,0 +1,32 @@ +From: Nick Wellnhofer <wellnho...@aevum.de> +Date: Sat, 27 Apr 2019 11:19:48 +0200 +Subject: Fix uninitialized read of xsl:number token +Origin: https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-13117 +Bug-Debian: https://bugs.debian.org/931321 +Bug-Debian: https://bugs.debian.org/933743 + +Found by OSS-Fuzz. +--- + libxslt/numbers.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/libxslt/numbers.c b/libxslt/numbers.c +index 89e1f668b2bd..75c31ebaeb88 100644 +--- a/libxslt/numbers.c ++++ b/libxslt/numbers.c +@@ -382,7 +382,10 @@ xsltNumberFormatTokenize(const xmlChar *format, + tokens->tokens[tokens->nTokens].token = val - 1; + ix += len; + val = xmlStringCurrentChar(NULL, format+ix, &len); +- } ++ } else { ++ tokens->tokens[tokens->nTokens].token = (xmlChar)'0'; ++ tokens->tokens[tokens->nTokens].width = 1; ++ } + } else if ( (val == (xmlChar)'A') || + (val == (xmlChar)'a') || + (val == (xmlChar)'I') || +-- +2.20.1 + diff -Nru libxslt-1.1.32/debian/patches/0008-Fix-uninitialized-read-with-UTF-8-grouping-chars.patch libxslt-1.1.32/debian/patches/0008-Fix-uninitialized-read-with-UTF-8-grouping-chars.patch --- libxslt-1.1.32/debian/patches/0008-Fix-uninitialized-read-with-UTF-8-grouping-chars.patch 1970-01-01 01:00:00.000000000 +0100 +++ libxslt-1.1.32/debian/patches/0008-Fix-uninitialized-read-with-UTF-8-grouping-chars.patch 2019-08-04 08:14:05.000000000 +0200 @@ -0,0 +1,74 @@ +From: Nick Wellnhofer <wellnho...@aevum.de> +Date: Mon, 3 Jun 2019 13:14:45 +0200 +Subject: Fix uninitialized read with UTF-8 grouping chars +Origin: https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-13118 +Bug-Debian: https://bugs.debian.org/931320 +Bug-Debian: https://bugs.debian.org/933743 + +The character type in xsltFormatNumberConversion was too narrow and +an invalid character/length combination could be passed to +xsltNumberFormatDecimal, resulting in an uninitialized read. + +Found by OSS-Fuzz. +--- + libxslt/numbers.c | 5 +++-- + tests/docs/bug-222.xml | 1 + + tests/general/bug-222.out | 2 ++ + tests/general/bug-222.xsl | 6 ++++++ + 4 files changed, 12 insertions(+), 2 deletions(-) + create mode 100644 tests/docs/bug-222.xml + create mode 100644 tests/general/bug-222.out + create mode 100644 tests/general/bug-222.xsl + +diff --git a/libxslt/numbers.c b/libxslt/numbers.c +index f1ed88468257..20b99d5adef0 100644 +--- a/libxslt/numbers.c ++++ b/libxslt/numbers.c +@@ -1298,13 +1298,14 @@ OUTPUT_NUMBER: + number = floor((scale * number + 0.5)) / scale; + if ((self->grouping != NULL) && + (self->grouping[0] != 0)) { ++ int gchar; + + len = xmlStrlen(self->grouping); +- pchar = xsltGetUTF8Char(self->grouping, &len); ++ gchar = xsltGetUTF8Char(self->grouping, &len); + xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0], + format_info.integer_digits, + format_info.group, +- pchar, len); ++ gchar, len); + } else + xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0], + format_info.integer_digits, +diff --git a/tests/docs/bug-222.xml b/tests/docs/bug-222.xml +new file mode 100644 +index 000000000000..69d62f2c9aef +--- /dev/null ++++ b/tests/docs/bug-222.xml +@@ -0,0 +1 @@ ++<doc/> +diff --git a/tests/general/bug-222.out b/tests/general/bug-222.out +new file mode 100644 +index 000000000000..e3139698eb49 +--- /dev/null ++++ b/tests/general/bug-222.out +@@ -0,0 +1,2 @@ ++<?xml version="1.0"?> ++1???0 +diff --git a/tests/general/bug-222.xsl b/tests/general/bug-222.xsl +new file mode 100644 +index 000000000000..e32dc47337cb +--- /dev/null ++++ b/tests/general/bug-222.xsl +@@ -0,0 +1,6 @@ ++<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"; version="1.0"> ++ <xsl:decimal-format name="f" grouping-separator="???"/> ++ <xsl:template match="/"> ++ <xsl:value-of select="format-number(10,'#???0','f')"/> ++ </xsl:template> ++</xsl:stylesheet> +-- +2.20.1 + diff -Nru libxslt-1.1.32/debian/patches/series libxslt-1.1.32/debian/patches/series --- libxslt-1.1.32/debian/patches/series 2018-05-26 13:46:33.000000000 +0200 +++ libxslt-1.1.32/debian/patches/series 2019-08-04 08:14:05.000000000 +0200 @@ -3,3 +3,6 @@ 0003-fix-typo.patch 0004-Make-generate-id-deterministic.patch 0005-remove-plugin-in-xslt-config.patch +0006-Fix-security-framework-bypass.patch +0007-Fix-uninitialized-read-of-xsl-number-token.patch +0008-Fix-uninitialized-read-with-UTF-8-grouping-chars.patch
