main/libxslt: security fixes #7060 (CVE-2017-5029)

Remove unneeded patches

3 files changed, 89 insertions, 137 deletions

diff --git a/main/libxslt/APKBUILD b/main/libxslt/APKBUILD
index e0246664f0..b9e3a201b8 100644
--- a/main/libxslt/APKBUILD
+++ b/main/libxslt/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=libxslt
 pkgver=1.1.29
-pkgrel=0
+pkgrel=1
 pkgdesc="XML stylesheet transformation library"
 url="http://xmlsoft.org/XSLT/"
 arch="all"
@@ -9,9 +9,16 @@ license="custom"
 depends=
 makedepends="libxml2-dev libgcrypt-dev libgpg-error-dev python-dev"
 subpackages="$pkgname-dev $pkgname-doc py-$pkgname:py"
-source="ftp://xmlsoft.org/$pkgname/$pkgname-$pkgver.tar.gz"
+source="ftp://xmlsoft.org/$pkgname/$pkgname-$pkgver.tar.gz
+	CVE-2017-5029.patch
+	"
 
 _builddir="$srcdir"/$pkgname-$pkgver
+
+# secfixes:
+#   1.1.29-r1:
+#   - CVE-2017-5029
+
 prepare() {
 	cd "$_builddir"
 	#update_config_sub || return 1
@@ -45,6 +52,9 @@ py() {
 	install -d "$subpkgdir"/usr/lib
 	mv "$pkgdir"/usr/lib/python* "$subpkgdir"/usr/lib/
 }
-md5sums="a129d3c44c022de3b9dcf6d6f288d72e  libxslt-1.1.29.tar.gz"
-sha256sums="b5976e3857837e7617b29f2249ebb5eeac34e249208d31f1fbf7a6ba7a4090ce  libxslt-1.1.29.tar.gz"
-sha512sums="a1ce555a74a9dabe65e8f64bb66e27e77760fd76940d88f2d59f58dd63ca73c8ae59f3fcbd8e76c8f92ff992fb0c09328528c20ea38ccac83e63252106bf5f31  libxslt-1.1.29.tar.gz"
+md5sums="a129d3c44c022de3b9dcf6d6f288d72e  libxslt-1.1.29.tar.gz
+db2ca974d0391f74b3c02550056fc588  CVE-2017-5029.patch"
+sha256sums="b5976e3857837e7617b29f2249ebb5eeac34e249208d31f1fbf7a6ba7a4090ce  libxslt-1.1.29.tar.gz
+ef18ec8c31d73e1eb57ab7fd14a4f085fc9962dd9beec8c053c02e3204f97004  CVE-2017-5029.patch"
+sha512sums="a1ce555a74a9dabe65e8f64bb66e27e77760fd76940d88f2d59f58dd63ca73c8ae59f3fcbd8e76c8f92ff992fb0c09328528c20ea38ccac83e63252106bf5f31  libxslt-1.1.29.tar.gz
+586182c5cabf86605bc628c98fcc18ee7120c5917dab25e2f4c013660ccda34f44f4b6c46a7d7473baaa1c208e306c5b4012cc95770e1be88c7aec9121880aa7  CVE-2017-5029.patch"
diff --git a/main/libxslt/CVE-2017-5029.patch b/main/libxslt/CVE-2017-5029.patch
new file mode 100644
index 0000000000..2881fc144b
--- /dev/null
+++ b/main/libxslt/CVE-2017-5029.patch
@@ -0,0 +1,74 @@
+From 08ab2774b870de1c7b5a48693df75e8154addae5 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 12 Jan 2017 15:39:52 +0100
+Subject: Check for integer overflow in xsltAddTextString
+
+Limit buffer size in xsltAddTextString to INT_MAX. The issue can be
+exploited to trigger an out of bounds write on 64-bit systems.
+
+Originally reported to Chromium:
+
+https://crbug.com/676623
+---
+ libxslt/transform.c     | 25 ++++++++++++++++++++++---
+ libxslt/xsltInternals.h |  4 ++--
+ 2 files changed, 24 insertions(+), 5 deletions(-)
+
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index 519133f..02bff34 100644
+--- a/libxslt/transform.c
++++ b/libxslt/transform.c
+@@ -813,13 +813,32 @@ xsltAddTextString(xsltTransformContextPtr ctxt, xmlNodePtr target,
+         return(target);
+ 
+     if (ctxt->lasttext == target->content) {
++        int minSize;
+ 
+-	if (ctxt->lasttuse + len >= ctxt->lasttsize) {
++        /* Check for integer overflow accounting for NUL terminator. */
++        if (len >= INT_MAX - ctxt->lasttuse) {
++            xsltTransformError(ctxt, NULL, target,
++                "xsltCopyText: text allocation failed\n");
++            return(NULL);
++        }
++        minSize = ctxt->lasttuse + len + 1;
++
++        if (ctxt->lasttsize < minSize) {
+ 	    xmlChar *newbuf;
+ 	    int size;
++            int extra;
++
++            /* Double buffer size but increase by at least 100 bytes. */
++            extra = minSize < 100 ? 100 : minSize;
++
++            /* Check for integer overflow. */
++            if (extra > INT_MAX - ctxt->lasttsize) {
++                size = INT_MAX;
++            }
++            else {
++                size = ctxt->lasttsize + extra;
++            }
+ 
+-	    size = ctxt->lasttsize + len + 100;
+-	    size *= 2;
+ 	    newbuf = (xmlChar *) xmlRealloc(target->content,size);
+ 	    if (newbuf == NULL) {
+ 		xsltTransformError(ctxt, NULL, target,
+diff --git a/libxslt/xsltInternals.h b/libxslt/xsltInternals.h
+index 060b178..5ad1771 100644
+--- a/libxslt/xsltInternals.h
++++ b/libxslt/xsltInternals.h
+@@ -1754,8 +1754,8 @@ struct _xsltTransformContext {
+      * Speed optimization when coalescing text nodes
+      */
+     const xmlChar  *lasttext;		/* last text node content */
+-    unsigned int    lasttsize;		/* last text node size */
+-    unsigned int    lasttuse;		/* last text node use */
++    int             lasttsize;		/* last text node size */
++    int             lasttuse;		/* last text node use */
+     /*
+      * Per Context Debugging
+      */
+-- 
+cgit v0.12
+
diff --git a/main/libxslt/libxslt-Fix-regression-Default-namespace-not-correctly-used.patch b/main/libxslt/libxslt-Fix-regression-Default-namespace-not-correctly-used.patch
deleted file mode 100644
index b1d6e44aea..0000000000
--- a/main/libxslt/libxslt-Fix-regression-Default-namespace-not-correctly-used.patch
+++ /dev/null
@@ -1,132 +0,0 @@
-From 70213d9c9a86adac841247b249dc188ba2aab3db Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Fri, 28 Sep 2012 21:04:39 +0200
-Subject: [PATCH] Fix regression: Default namespace not correctly used
-To: libvir-list@redhat.com
-
-https://bugzilla.gnome.org/show_bug.cgi?id=684564
-
-Signed-off-by: Daniel Veillard <veillard@redhat.com>
----
- libxslt/transform.c       | 14 ++++++++------
- tests/docs/Makefile.am    |  1 +
- tests/docs/bug-179.xml    |  1 +
- tests/general/Makefile.am |  1 +
- tests/general/bug-179.out |  9 +++++++++
- tests/general/bug-179.xsl | 24 ++++++++++++++++++++++++
- 6 files changed, 44 insertions(+), 6 deletions(-)
- create mode 100644 tests/docs/bug-179.xml
- create mode 100644 tests/general/bug-179.out
- create mode 100644 tests/general/bug-179.xsl
-
-diff --git a/libxslt/transform.c b/libxslt/transform.c
-index de2ef3c..35701de 100644
---- a/libxslt/transform.c
-+++ b/libxslt/transform.c
-@@ -4075,7 +4075,7 @@ xsltElement(xsltTransformContextPtr ctxt, xmlNodePtr node,
-         } else if (xmlStrEqual(prefix, BAD_CAST "xml")) {
-             prefix = NULL;
-         }
--    } else if (prefix != NULL) {
-+    } else {
- 	xmlNsPtr ns;
- 	/*
- 	* SPEC XSLT 1.0:
-@@ -4090,11 +4090,13 @@ xsltElement(xsltTransformContextPtr ctxt, xmlNodePtr node,
- 	    * TODO: Check this in the compilation layer in case it's a
- 	    * static value.
- 	    */
--            xsltTransformError(ctxt, NULL, inst,
--                "xsl:element: The QName '%s:%s' has no "
--                "namespace binding in scope in the stylesheet; "
--                "this is an error, since the namespace was not "
--                "specified by the instruction itself.\n", prefix, name);
-+            if (prefix != NULL) {
-+                xsltTransformError(ctxt, NULL, inst,
-+                    "xsl:element: The QName '%s:%s' has no "
-+                    "namespace binding in scope in the stylesheet; "
-+                    "this is an error, since the namespace was not "
-+                    "specified by the instruction itself.\n", prefix, name);
-+            }
- 	} else
- 	    nsName = ns->href;
-     }
-diff --git a/tests/docs/Makefile.am b/tests/docs/Makefile.am
-index 9e2204f..12a97a8 100644
---- a/tests/docs/Makefile.am
-+++ b/tests/docs/Makefile.am
-@@ -168,6 +168,7 @@ EXTRA_DIST =	\
- 	bug-167.xml \
- 	bug-168.xml \
- 	bug-169.xml \
-+	bug-179.xml \
- 	character.xml \
- 	array.xml \
- 	items.xml
-diff --git a/tests/docs/bug-179.xml b/tests/docs/bug-179.xml
-new file mode 100644
-index 0000000..69d62f2
---- /dev/null
-+++ b/tests/docs/bug-179.xml
-@@ -0,0 +1 @@
-+<doc/>
-diff --git a/tests/general/Makefile.am b/tests/general/Makefile.am
-index 24d0d43..fd1e695 100644
---- a/tests/general/Makefile.am
-+++ b/tests/general/Makefile.am
-@@ -186,6 +186,7 @@ EXTRA_DIST = \
-     bug-176.out bug-176.xsl \
-     bug-177.out bug-177.xsl \
-     bug-178.out bug-178.xsl \
-+    bug-179.out bug-179.xsl \
-     character.out character.xsl \
-     character2.out character2.xsl \
-     itemschoose.out itemschoose.xsl \
-diff --git a/tests/general/bug-179.out b/tests/general/bug-179.out
-new file mode 100644
-index 0000000..0a7e67d
---- /dev/null
-+++ b/tests/general/bug-179.out
-@@ -0,0 +1,9 @@
-+<?xml version="1.0"?>
-+<root xmlns="my::namespace">
-+  <foo>...</foo>
-+  <bar>...</bar>
-+  <foobar>...</foobar>
-+  <baz>...</baz>
-+  <doc>...</doc>
-+  <baz>...</baz>
-+</root>
-diff --git a/tests/general/bug-179.xsl b/tests/general/bug-179.xsl
-new file mode 100644
-index 0000000..5847e9a
---- /dev/null
-+++ b/tests/general/bug-179.xsl
-@@ -0,0 +1,24 @@
-+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-+                              xmlns="my::namespace">
-+
-+<xsl:variable name="var">baz</xsl:variable>
-+
-+<xsl:output indent="yes"/>
-+
-+<xsl:template match="/">
-+    <root> <!-- This is in the correct namespace "my::namespace" -->
-+        <foo>...</foo> <!-- OK. -->
-+        <xsl:element name="bar">...</xsl:element> <!-- Still okay. -->
-+
-+        <!-- Wrong! These are without namespace. -->
-+        <xsl:element name="{concat('foo', 'bar')}">...</xsl:element>
-+        <xsl:element name="{$var}">...</xsl:element>
-+        <xsl:element name="{local-name(*)}">...</xsl:element>
-+
-+        <!-- Explicitly setting the namespace fixes this. -->
-+        <xsl:element name="{$var}" namespace="my::namespace">...</xsl:element>
-+    </root>
-+</xsl:template>
-+
-+</xsl:stylesheet>
-+
--- 
-1.7.11.4
-