diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2019-04-17 07:17:23 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2019-04-17 07:57:45 +0000 |
commit | ef2dd8d40fec766b73bb686c015aa9e2a52b378b (patch) | |
tree | 3bac06ae2e18e94033820626f81470eae4d3ac1c | |
parent | d6ab6c12b91030e3c1d072ed36e093c2ebbc96cf (diff) | |
download | aports-ef2dd8d40fec766b73bb686c015aa9e2a52b378b.tar.bz2 aports-ef2dd8d40fec766b73bb686c015aa9e2a52b378b.tar.xz |
main/libxslt: security fix for CVE-2019-11068
fixes #10281
-rw-r--r-- | main/libxslt/APKBUILD | 15 | ||||
-rw-r--r-- | main/libxslt/CVE-2019-11068.patch | 120 |
2 files changed, 130 insertions, 5 deletions
diff --git a/main/libxslt/APKBUILD b/main/libxslt/APKBUILD index 84e3fefcad..cd8f0beb5e 100644 --- a/main/libxslt/APKBUILD +++ b/main/libxslt/APKBUILD @@ -2,7 +2,7 @@ # Contributor: Francesco Colista <fcolista@alpinelinux.org> pkgname=libxslt pkgver=1.1.29 -pkgrel=3 +pkgrel=4 pkgdesc="XML stylesheet transformation library" url="http://xmlsoft.org/XSLT/" arch="all" @@ -10,14 +10,17 @@ license="custom" depends= makedepends="libxml2-dev libgcrypt-dev libgpg-error-dev python2-dev" subpackages="$pkgname-dev $pkgname-doc py-$pkgname:py" -source="ftp://xmlsoft.org/$pkgname/$pkgname-$pkgver.tar.gz +source="http://xmlsoft.org/sources/$pkgname-$pkgver.tar.gz CVE-2017-5029.patch + CVE-2019-11068.patch " -builddir="$srcdir"/$pkgname-$pkgver +builddir="$srcdir/$pkgname-$pkgver" # secfixes: +# 1.1.29-r4: +# - CVE-2019-11068 # 1.1.29-r1: -# - CVE-2017-5029 +# - CVE-2017-5029 prepare() { cd "$builddir" @@ -45,5 +48,7 @@ py() { install -d "$subpkgdir"/usr/lib mv "$pkgdir"/usr/lib/python* "$subpkgdir"/usr/lib/ } + sha512sums="a1ce555a74a9dabe65e8f64bb66e27e77760fd76940d88f2d59f58dd63ca73c8ae59f3fcbd8e76c8f92ff992fb0c09328528c20ea38ccac83e63252106bf5f31 libxslt-1.1.29.tar.gz -586182c5cabf86605bc628c98fcc18ee7120c5917dab25e2f4c013660ccda34f44f4b6c46a7d7473baaa1c208e306c5b4012cc95770e1be88c7aec9121880aa7 CVE-2017-5029.patch" +586182c5cabf86605bc628c98fcc18ee7120c5917dab25e2f4c013660ccda34f44f4b6c46a7d7473baaa1c208e306c5b4012cc95770e1be88c7aec9121880aa7 CVE-2017-5029.patch +9a97c5038809aaf64cb4eb7d67b95acc4b62236d7613a5f753e2a0f4c9e707c22cd07bda2e518d3f36a40b9ed5aa93496b743998c7adadb84ca147e045e35948 CVE-2019-11068.patch" diff --git a/main/libxslt/CVE-2019-11068.patch b/main/libxslt/CVE-2019-11068.patch new file mode 100644 index 0000000000..260f35d1a3 --- /dev/null +++ b/main/libxslt/CVE-2019-11068.patch @@ -0,0 +1,120 @@ +From e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Sun, 24 Mar 2019 09:51:39 +0100 +Subject: [PATCH] Fix security framework bypass + +xsltCheckRead and xsltCheckWrite return -1 in case of error but callers +don't check for this condition and allow access. With a specially +crafted URL, xsltCheckRead could be tricked into returning an error +because of a supposedly invalid URL that would still be loaded +succesfully later on. + +Fixes #12. + +Thanks to Felix Wilhelm for the report. +--- + libxslt/documents.c | 18 ++++++++++-------- + libxslt/imports.c | 9 +++++---- + libxslt/transform.c | 9 +++++---- + libxslt/xslt.c | 9 +++++---- + 4 files changed, 25 insertions(+), 20 deletions(-) + +diff --git a/libxslt/documents.c b/libxslt/documents.c +index 3f3a7312..4aad11bb 100644 +--- a/libxslt/documents.c ++++ b/libxslt/documents.c +@@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) { + int res; + + res = xsltCheckRead(ctxt->sec, ctxt, URI); +- if (res == 0) { +- xsltTransformError(ctxt, NULL, NULL, +- "xsltLoadDocument: read rights for %s denied\n", +- URI); ++ if (res <= 0) { ++ if (res == 0) ++ xsltTransformError(ctxt, NULL, NULL, ++ "xsltLoadDocument: read rights for %s denied\n", ++ URI); + return(NULL); + } + } +@@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) { + int res; + + res = xsltCheckRead(sec, NULL, URI); +- if (res == 0) { +- xsltTransformError(NULL, NULL, NULL, +- "xsltLoadStyleDocument: read rights for %s denied\n", +- URI); ++ if (res <= 0) { ++ if (res == 0) ++ xsltTransformError(NULL, NULL, NULL, ++ "xsltLoadStyleDocument: read rights for %s denied\n", ++ URI); + return(NULL); + } + } +diff --git a/libxslt/imports.c b/libxslt/imports.c +index 874870cc..3783b247 100644 +--- a/libxslt/imports.c ++++ b/libxslt/imports.c +@@ -130,10 +130,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) { + int secres; + + secres = xsltCheckRead(sec, NULL, URI); +- if (secres == 0) { +- xsltTransformError(NULL, NULL, NULL, +- "xsl:import: read rights for %s denied\n", +- URI); ++ if (secres <= 0) { ++ if (secres == 0) ++ xsltTransformError(NULL, NULL, NULL, ++ "xsl:import: read rights for %s denied\n", ++ URI); + goto error; + } + } +diff --git a/libxslt/transform.c b/libxslt/transform.c +index 13793914..0636dbd0 100644 +--- a/libxslt/transform.c ++++ b/libxslt/transform.c +@@ -3493,10 +3493,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node, + */ + if (ctxt->sec != NULL) { + ret = xsltCheckWrite(ctxt->sec, ctxt, filename); +- if (ret == 0) { +- xsltTransformError(ctxt, NULL, inst, +- "xsltDocumentElem: write rights for %s denied\n", +- filename); ++ if (ret <= 0) { ++ if (ret == 0) ++ xsltTransformError(ctxt, NULL, inst, ++ "xsltDocumentElem: write rights for %s denied\n", ++ filename); + xmlFree(URL); + xmlFree(filename); + return; +diff --git a/libxslt/xslt.c b/libxslt/xslt.c +index 780a5ad7..a234eb79 100644 +--- a/libxslt/xslt.c ++++ b/libxslt/xslt.c +@@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) { + int res; + + res = xsltCheckRead(sec, NULL, filename); +- if (res == 0) { +- xsltTransformError(NULL, NULL, NULL, +- "xsltParseStylesheetFile: read rights for %s denied\n", +- filename); ++ if (res <= 0) { ++ if (res == 0) ++ xsltTransformError(NULL, NULL, NULL, ++ "xsltParseStylesheetFile: read rights for %s denied\n", ++ filename); + return(NULL); + } + } +-- +2.18.1 + |