From d67f5711d1824ce0ddb4568df672ae2976f81f58 Mon Sep 17 00:00:00 2001
From: Leo <thinkabit.ukim@gmail.com>
Date: Tue, 29 Oct 2019 10:40:26 -0300
Subject: main/libxslt: fix CVE-2019-18197

ref #10916

Closes !917
---
 main/libxslt/APKBUILD             | 12 ++++++++----
 main/libxslt/CVE-2019-18197.patch | 30 ++++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+), 4 deletions(-)
 create mode 100644 main/libxslt/CVE-2019-18197.patch

diff --git a/main/libxslt/APKBUILD b/main/libxslt/APKBUILD
index e8c16c027d..c4d0ab1bd8 100644
--- a/main/libxslt/APKBUILD
+++ b/main/libxslt/APKBUILD
@@ -2,7 +2,7 @@
 # Contributor: Francesco Colista <fcolista@alpinelinux.org>
 pkgname=libxslt
 pkgver=1.1.31
-pkgrel=1
+pkgrel=2
 pkgdesc="XML stylesheet transformation library"
 url="http://xmlsoft.org/XSLT/"
 arch="all"
@@ -11,14 +11,17 @@ makedepends="libxml2-dev libgcrypt-dev libgpg-error-dev python2-dev"
 subpackages="$pkgname-dev $pkgname-doc py-$pkgname:py"
 source="http://xmlsoft.org/sources/$pkgname-$pkgver.tar.gz
 	CVE-2019-11068.patch
+	CVE-2019-18197.patch
 	"
 builddir="$srcdir/$pkgname-$pkgver"
 
 # secfixes:
+#   1.1.31-r2:
+#     - CVE-2019-18197
 #   1.1.31-r1:
-#   - CVE-2019-11068
+#     - CVE-2019-11068
 #   1.1.29-r1:
-#   - CVE-2017-5029
+#     - CVE-2017-5029
 
 build() {
 	cd "$builddir"
@@ -45,4 +48,5 @@ py() {
 }
 
 sha512sums="9012d643625d827b131c825a103f2e2a5f3cbd45d3cdf3318378e8f046da8d084db51c6b0078b5850a26adc81ba3bf357101d65ef510eff54c8b416a71efed92  libxslt-1.1.31.tar.gz
-9a97c5038809aaf64cb4eb7d67b95acc4b62236d7613a5f753e2a0f4c9e707c22cd07bda2e518d3f36a40b9ed5aa93496b743998c7adadb84ca147e045e35948  CVE-2019-11068.patch"
+9a97c5038809aaf64cb4eb7d67b95acc4b62236d7613a5f753e2a0f4c9e707c22cd07bda2e518d3f36a40b9ed5aa93496b743998c7adadb84ca147e045e35948  CVE-2019-11068.patch
+ec0a7cd35f9078a3939ef6c695f183d9a0da5dd837d0a7f586b89a07c0c0782384501e4c1532b4d9ee7e94e717c37179f470bae59923d0074b309f09b5bf18fa  CVE-2019-18197.patch"
diff --git a/main/libxslt/CVE-2019-18197.patch b/main/libxslt/CVE-2019-18197.patch
new file mode 100644
index 0000000000..a8c7cf541d
--- /dev/null
+++ b/main/libxslt/CVE-2019-18197.patch
@@ -0,0 +1,30 @@
+From 2232473733b7313d67de8836ea3b29eec6e8e285 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 17 Aug 2019 16:51:53 +0200
+Subject: [PATCH] Fix dangling pointer in xsltCopyText
+
+xsltCopyText didn't reset ctxt->lasttext in some cases which could
+lead to various memory errors in relation with CDATA sections in input
+documents.
+
+Found by OSS-Fuzz.
+---
+ libxslt/transform.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index 95ebd073..d7ab0b66 100644
+--- a/libxslt/transform.c
++++ b/libxslt/transform.c
+@@ -1094,6 +1094,8 @@ xsltCopyText(xsltTransformContextPtr ctxt, xmlNodePtr target,
+ 	    if ((copy->content = xmlStrdup(cur->content)) == NULL)
+ 		return NULL;
+ 	}
++
++	ctxt->lasttext = NULL;
+     } else {
+         /*
+ 	 * normal processing. keep counters to extend the text node
+-- 
+2.22.0
+
-- 
cgit v1.2.3