From 584dbc2f0a30bb4011d5e14a69ba3bba99b89613 Mon Sep 17 00:00:00 2001 From: Gustavo Zacarias Date: Fri, 2 Mar 2012 12:00:34 -0300 Subject: libxslt: add multiple security patches Add security patches for CVE-2011-1202 and CVE-2011-3970. Signed-off-by: Gustavo Zacarias Signed-off-by: Peter Korsgaard --- package/libxslt/libxslt-1.1.26-configure.patch | 18 +++++++ package/libxslt/libxslt-1.1.26-id-generation.patch | 56 ++++++++++++++++++++++ ...libxslt-1.1.26-pattern-out-of-bounds-read.patch | 27 +++++++++++ package/libxslt/libxslt-configure.patch | 18 ------- 4 files changed, 101 insertions(+), 18 deletions(-) create mode 100644 package/libxslt/libxslt-1.1.26-configure.patch create mode 100644 package/libxslt/libxslt-1.1.26-id-generation.patch create mode 100644 package/libxslt/libxslt-1.1.26-pattern-out-of-bounds-read.patch delete mode 100644 package/libxslt/libxslt-configure.patch diff --git a/package/libxslt/libxslt-1.1.26-configure.patch b/package/libxslt/libxslt-1.1.26-configure.patch new file mode 100644 index 000000000..aae2e9e28 --- /dev/null +++ b/package/libxslt/libxslt-1.1.26-configure.patch @@ -0,0 +1,18 @@ +--- a/configure 2007-06-12 12:43:03.000000000 -0400 ++++ b/configure 2008-02-18 08:52:36.000000000 -0500 +@@ -22090,15 +22090,11 @@ esac + + + +-XSLT_LIBDIR='-L${libdir}' +-XSLT_INCLUDEDIR='-I${includedir}' + XSLT_LIBS="-lxslt $LIBXML_LIBS $M_LIBS" + + + + +-EXSLT_LIBDIR='-L${libdir}' +-EXSLT_INCLUDEDIR='-I${includedir}' + EXSLT_LIBS="-lexslt $XSLT_LIBS $LIBGCRYPT_LIBS" + + diff --git a/package/libxslt/libxslt-1.1.26-id-generation.patch b/package/libxslt/libxslt-1.1.26-id-generation.patch new file mode 100644 index 000000000..f8f4c2a95 --- /dev/null +++ b/package/libxslt/libxslt-1.1.26-id-generation.patch @@ -0,0 +1,56 @@ +From ecb6bcb8d1b7e44842edde3929f412d46b40c89f Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Tue, 22 Feb 2011 02:14:23 +0000 +Subject: Fix generate-id() to not expose object addresses + +As pointed out by Chris Evans it's better +security wise to not expose object addresses directly, use a diff +w.r.t. the document root own address to avoid this +* libxslt/functions.c: fix IDs generation code +--- +diff --git a/libxslt/functions.c b/libxslt/functions.c +index 4720c7a..de962f4 100644 +--- a/libxslt/functions.c ++++ b/libxslt/functions.c +@@ -654,8 +654,9 @@ xsltFormatNumberFunction(xmlXPathParserContextPtr ctxt, int nargs) + void + xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){ + xmlNodePtr cur = NULL; +- unsigned long val; +- xmlChar str[20]; ++ long val; ++ xmlChar str[30]; ++ xmlDocPtr doc; + + if (nargs == 0) { + cur = ctxt->context->node; +@@ -694,9 +695,24 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){ + * Okay this is ugly but should work, use the NodePtr address + * to forge the ID + */ +- val = (unsigned long)((char *)cur - (char *)0); +- val /= sizeof(xmlNode); +- sprintf((char *)str, "id%ld", val); ++ if (cur->type != XML_NAMESPACE_DECL) ++ doc = cur->doc; ++ else { ++ xmlNsPtr ns = (xmlNsPtr) cur; ++ ++ if (ns->context != NULL) ++ doc = ns->context; ++ else ++ doc = ctxt->context->doc; ++ ++ } ++ ++ val = (long)((char *)cur - (char *)doc); ++ if (val >= 0) { ++ sprintf((char *)str, "idp%ld", val); ++ } else { ++ sprintf((char *)str, "idm%ld", -val); ++ } + valuePush(ctxt, xmlXPathNewString(str)); + } + +-- +cgit v0.8.3.4 diff --git a/package/libxslt/libxslt-1.1.26-pattern-out-of-bounds-read.patch b/package/libxslt/libxslt-1.1.26-pattern-out-of-bounds-read.patch new file mode 100644 index 000000000..cd2e292f4 --- /dev/null +++ b/package/libxslt/libxslt-1.1.26-pattern-out-of-bounds-read.patch @@ -0,0 +1,27 @@ +From fe5a4fa33eb85bce3253ed3742b1ea6c4b59b41b Mon Sep 17 00:00:00 2001 +From: Abhishek Arya +Date: Sun, 22 Jan 2012 17:47:50 +0800 +Subject: [PATCH] Fix some case of pattern parsing errors + +We could accidentally hit an off by one string array access +due to improper loop exit when parsing patterns +--- + libxslt/pattern.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +diff --git a/libxslt/pattern.c b/libxslt/pattern.c +index 6161376..1155b54 100644 +--- a/libxslt/pattern.c ++++ b/libxslt/pattern.c +@@ -1867,6 +1867,8 @@ xsltCompilePatternInternal(const xmlChar *pattern, xmlDocPtr doc, + while ((pattern[end] != 0) && (pattern[end] != '"')) + end++; + } ++ if (pattern[end] == 0) ++ break; + end++; + } + if (current == end) { +-- +1.7.8.4 + diff --git a/package/libxslt/libxslt-configure.patch b/package/libxslt/libxslt-configure.patch deleted file mode 100644 index aae2e9e28..000000000 --- a/package/libxslt/libxslt-configure.patch +++ /dev/null @@ -1,18 +0,0 @@ ---- a/configure 2007-06-12 12:43:03.000000000 -0400 -+++ b/configure 2008-02-18 08:52:36.000000000 -0500 -@@ -22090,15 +22090,11 @@ esac - - - --XSLT_LIBDIR='-L${libdir}' --XSLT_INCLUDEDIR='-I${includedir}' - XSLT_LIBS="-lxslt $LIBXML_LIBS $M_LIBS" - - - - --EXSLT_LIBDIR='-L${libdir}' --EXSLT_INCLUDEDIR='-I${includedir}' - EXSLT_LIBS="-lexslt $XSLT_LIBS $LIBGCRYPT_LIBS" - - -- cgit v1.2.3