Commit 07f84335 authored by Leo's avatar Leo Committed by Kevin Daudt
Browse files

main/libxslt: fix CVE-2019-18197

ref #10916

Closes !916
parent b536611e
......@@ -2,7 +2,7 @@
# Contributor: Francesco Colista <fcolista@alpinelinux.org>
pkgname=libxslt
pkgver=1.1.33
pkgrel=1
pkgrel=2
pkgdesc="XML stylesheet transformation library"
url="http://xmlsoft.org/XSLT/"
arch="all"
......@@ -11,14 +11,17 @@ makedepends="libxml2-dev libgcrypt-dev libgpg-error-dev python2-dev"
subpackages="$pkgname-dev $pkgname-doc py2-$pkgname:py2"
source="http://xmlsoft.org/sources/$pkgname-$pkgver.tar.gz
CVE-2019-11068.patch
CVE-2019-18197.patch
"
builddir="$srcdir/$pkgname-$pkgver"
# secfixes:
# 1.1.33-r2:
# - CVE-2019-18197
# 1.1.33-r1:
# - CVE-2019-11068
# - CVE-2019-11068
# 1.1.29-r1:
# - CVE-2017-5029
# - CVE-2017-5029
build() {
cd "$builddir"
......@@ -47,4 +50,5 @@ py2() {
}
sha512sums="ebbe438a38bf6355950167d3b580edc22baa46a77068c18c42445c1c9c716d42bed3b30c5cd5bec359ab32d03843224dae458e9e32dc61693e7cf4bab23536e0 libxslt-1.1.33.tar.gz
9a97c5038809aaf64cb4eb7d67b95acc4b62236d7613a5f753e2a0f4c9e707c22cd07bda2e518d3f36a40b9ed5aa93496b743998c7adadb84ca147e045e35948 CVE-2019-11068.patch"
9a97c5038809aaf64cb4eb7d67b95acc4b62236d7613a5f753e2a0f4c9e707c22cd07bda2e518d3f36a40b9ed5aa93496b743998c7adadb84ca147e045e35948 CVE-2019-11068.patch
ec0a7cd35f9078a3939ef6c695f183d9a0da5dd837d0a7f586b89a07c0c0782384501e4c1532b4d9ee7e94e717c37179f470bae59923d0074b309f09b5bf18fa CVE-2019-18197.patch"
From 2232473733b7313d67de8836ea3b29eec6e8e285 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sat, 17 Aug 2019 16:51:53 +0200
Subject: [PATCH] Fix dangling pointer in xsltCopyText
xsltCopyText didn't reset ctxt->lasttext in some cases which could
lead to various memory errors in relation with CDATA sections in input
documents.
Found by OSS-Fuzz.
---
libxslt/transform.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libxslt/transform.c b/libxslt/transform.c
index 95ebd073..d7ab0b66 100644
--- a/libxslt/transform.c
+++ b/libxslt/transform.c
@@ -1094,6 +1094,8 @@ xsltCopyText(xsltTransformContextPtr ctxt, xmlNodePtr target,
if ((copy->content = xmlStrdup(cur->content)) == NULL)
return NULL;
}
+
+ ctxt->lasttext = NULL;
} else {
/*
* normal processing. keep counters to extend the text node
--
2.22.0
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment