Commit ef2dd8d4 authored by Natanael Copa's avatar Natanael Copa

main/libxslt: security fix for CVE-2019-11068

fixes #10281
parent d6ab6c12
......@@ -2,7 +2,7 @@
# Contributor: Francesco Colista <fcolista@alpinelinux.org>
pkgname=libxslt
pkgver=1.1.29
pkgrel=3
pkgrel=4
pkgdesc="XML stylesheet transformation library"
url="http://xmlsoft.org/XSLT/"
arch="all"
......@@ -10,14 +10,17 @@ license="custom"
depends=
makedepends="libxml2-dev libgcrypt-dev libgpg-error-dev python2-dev"
subpackages="$pkgname-dev $pkgname-doc py-$pkgname:py"
source="ftp://xmlsoft.org/$pkgname/$pkgname-$pkgver.tar.gz
source="http://xmlsoft.org/sources/$pkgname-$pkgver.tar.gz
CVE-2017-5029.patch
CVE-2019-11068.patch
"
builddir="$srcdir"/$pkgname-$pkgver
builddir="$srcdir/$pkgname-$pkgver"
# secfixes:
# 1.1.29-r4:
# - CVE-2019-11068
# 1.1.29-r1:
# - CVE-2017-5029
# - CVE-2017-5029
prepare() {
cd "$builddir"
......@@ -45,5 +48,7 @@ py() {
install -d "$subpkgdir"/usr/lib
mv "$pkgdir"/usr/lib/python* "$subpkgdir"/usr/lib/
}
sha512sums="a1ce555a74a9dabe65e8f64bb66e27e77760fd76940d88f2d59f58dd63ca73c8ae59f3fcbd8e76c8f92ff992fb0c09328528c20ea38ccac83e63252106bf5f31 libxslt-1.1.29.tar.gz
586182c5cabf86605bc628c98fcc18ee7120c5917dab25e2f4c013660ccda34f44f4b6c46a7d7473baaa1c208e306c5b4012cc95770e1be88c7aec9121880aa7 CVE-2017-5029.patch"
586182c5cabf86605bc628c98fcc18ee7120c5917dab25e2f4c013660ccda34f44f4b6c46a7d7473baaa1c208e306c5b4012cc95770e1be88c7aec9121880aa7 CVE-2017-5029.patch
9a97c5038809aaf64cb4eb7d67b95acc4b62236d7613a5f753e2a0f4c9e707c22cd07bda2e518d3f36a40b9ed5aa93496b743998c7adadb84ca147e045e35948 CVE-2019-11068.patch"
From e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sun, 24 Mar 2019 09:51:39 +0100
Subject: [PATCH] Fix security framework bypass
xsltCheckRead and xsltCheckWrite return -1 in case of error but callers
don't check for this condition and allow access. With a specially
crafted URL, xsltCheckRead could be tricked into returning an error
because of a supposedly invalid URL that would still be loaded
succesfully later on.
Fixes #12.
Thanks to Felix Wilhelm for the report.
---
libxslt/documents.c | 18 ++++++++++--------
libxslt/imports.c | 9 +++++----
libxslt/transform.c | 9 +++++----
libxslt/xslt.c | 9 +++++----
4 files changed, 25 insertions(+), 20 deletions(-)
diff --git a/libxslt/documents.c b/libxslt/documents.c
index 3f3a7312..4aad11bb 100644
--- a/libxslt/documents.c
+++ b/libxslt/documents.c
@@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) {
int res;
res = xsltCheckRead(ctxt->sec, ctxt, URI);
- if (res == 0) {
- xsltTransformError(ctxt, NULL, NULL,
- "xsltLoadDocument: read rights for %s denied\n",
- URI);
+ if (res <= 0) {
+ if (res == 0)
+ xsltTransformError(ctxt, NULL, NULL,
+ "xsltLoadDocument: read rights for %s denied\n",
+ URI);
return(NULL);
}
}
@@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) {
int res;
res = xsltCheckRead(sec, NULL, URI);
- if (res == 0) {
- xsltTransformError(NULL, NULL, NULL,
- "xsltLoadStyleDocument: read rights for %s denied\n",
- URI);
+ if (res <= 0) {
+ if (res == 0)
+ xsltTransformError(NULL, NULL, NULL,
+ "xsltLoadStyleDocument: read rights for %s denied\n",
+ URI);
return(NULL);
}
}
diff --git a/libxslt/imports.c b/libxslt/imports.c
index 874870cc..3783b247 100644
--- a/libxslt/imports.c
+++ b/libxslt/imports.c
@@ -130,10 +130,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) {
int secres;
secres = xsltCheckRead(sec, NULL, URI);
- if (secres == 0) {
- xsltTransformError(NULL, NULL, NULL,
- "xsl:import: read rights for %s denied\n",
- URI);
+ if (secres <= 0) {
+ if (secres == 0)
+ xsltTransformError(NULL, NULL, NULL,
+ "xsl:import: read rights for %s denied\n",
+ URI);
goto error;
}
}
diff --git a/libxslt/transform.c b/libxslt/transform.c
index 13793914..0636dbd0 100644
--- a/libxslt/transform.c
+++ b/libxslt/transform.c
@@ -3493,10 +3493,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node,
*/
if (ctxt->sec != NULL) {
ret = xsltCheckWrite(ctxt->sec, ctxt, filename);
- if (ret == 0) {
- xsltTransformError(ctxt, NULL, inst,
- "xsltDocumentElem: write rights for %s denied\n",
- filename);
+ if (ret <= 0) {
+ if (ret == 0)
+ xsltTransformError(ctxt, NULL, inst,
+ "xsltDocumentElem: write rights for %s denied\n",
+ filename);
xmlFree(URL);
xmlFree(filename);
return;
diff --git a/libxslt/xslt.c b/libxslt/xslt.c
index 780a5ad7..a234eb79 100644
--- a/libxslt/xslt.c
+++ b/libxslt/xslt.c
@@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) {
int res;
res = xsltCheckRead(sec, NULL, filename);
- if (res == 0) {
- xsltTransformError(NULL, NULL, NULL,
- "xsltParseStylesheetFile: read rights for %s denied\n",
- filename);
+ if (res <= 0) {
+ if (res == 0)
+ xsltTransformError(NULL, NULL, NULL,
+ "xsltParseStylesheetFile: read rights for %s denied\n",
+ filename);
return(NULL);
}
}
--
2.18.1
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment