libxslt: patch security issue and add CPE id
Fixes CVE-2019-11068 Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
This commit is contained in:
Jan Pavlinec
parent
3c6ca66a49
commit
d410c6b0b6
|
|
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
|
|||
|
||||
PKG_NAME:=libxslt
|
||||
PKG_VERSION:=1.1.33
|
||||
PKG_RELEASE:=1
|
||||
PKG_RELEASE:=2
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
|
||||
PKG_SOURCE_URL:= \
|
||||
|
|
@ -19,6 +19,7 @@ PKG_HASH:=8e36605144409df979cab43d835002f63988f3dc94d5d3537c12796db90e38c8
|
|||
|
||||
PKG_LICENSE:=MIT
|
||||
PKG_LICENSE_FILES:=COPYING
|
||||
PKG_CPE_ID:=cpe:/a:xmlsoft:libxslt
|
||||
|
||||
PKG_MAINTAINER:=Jiri Slachta <jiri@slachta.eu>
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,120 @@
|
|||
From e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Sun, 24 Mar 2019 09:51:39 +0100
|
||||
Subject: [PATCH] Fix security framework bypass
|
||||
|
||||
xsltCheckRead and xsltCheckWrite return -1 in case of error but callers
|
||||
don't check for this condition and allow access. With a specially
|
||||
crafted URL, xsltCheckRead could be tricked into returning an error
|
||||
because of a supposedly invalid URL that would still be loaded
|
||||
succesfully later on.
|
||||
|
||||
Fixes #12.
|
||||
|
||||
Thanks to Felix Wilhelm for the report.
|
||||
---
|
||||
libxslt/documents.c | 18 ++++++++++--------
|
||||
libxslt/imports.c | 9 +++++----
|
||||
libxslt/transform.c | 9 +++++----
|
||||
libxslt/xslt.c | 9 +++++----
|
||||
4 files changed, 25 insertions(+), 20 deletions(-)
|
||||
|
||||
diff --git a/libxslt/documents.c b/libxslt/documents.c
|
||||
index 3f3a7312..4aad11bb 100644
|
||||
--- a/libxslt/documents.c
|
||||
+++ b/libxslt/documents.c
|
||||
@@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) {
|
||||
int res;
|
||||
|
||||
res = xsltCheckRead(ctxt->sec, ctxt, URI);
|
||||
- if (res == 0) {
|
||||
- xsltTransformError(ctxt, NULL, NULL,
|
||||
- "xsltLoadDocument: read rights for %s denied\n",
|
||||
- URI);
|
||||
+ if (res <= 0) {
|
||||
+ if (res == 0)
|
||||
+ xsltTransformError(ctxt, NULL, NULL,
|
||||
+ "xsltLoadDocument: read rights for %s denied\n",
|
||||
+ URI);
|
||||
return(NULL);
|
||||
}
|
||||
}
|
||||
@@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) {
|
||||
int res;
|
||||
|
||||
res = xsltCheckRead(sec, NULL, URI);
|
||||
- if (res == 0) {
|
||||
- xsltTransformError(NULL, NULL, NULL,
|
||||
- "xsltLoadStyleDocument: read rights for %s denied\n",
|
||||
- URI);
|
||||
+ if (res <= 0) {
|
||||
+ if (res == 0)
|
||||
+ xsltTransformError(NULL, NULL, NULL,
|
||||
+ "xsltLoadStyleDocument: read rights for %s denied\n",
|
||||
+ URI);
|
||||
return(NULL);
|
||||
}
|
||||
}
|
||||
diff --git a/libxslt/imports.c b/libxslt/imports.c
|
||||
index 874870cc..3783b247 100644
|
||||
--- a/libxslt/imports.c
|
||||
+++ b/libxslt/imports.c
|
||||
@@ -130,10 +130,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) {
|
||||
int secres;
|
||||
|
||||
secres = xsltCheckRead(sec, NULL, URI);
|
||||
- if (secres == 0) {
|
||||
- xsltTransformError(NULL, NULL, NULL,
|
||||
- "xsl:import: read rights for %s denied\n",
|
||||
- URI);
|
||||
+ if (secres <= 0) {
|
||||
+ if (secres == 0)
|
||||
+ xsltTransformError(NULL, NULL, NULL,
|
||||
+ "xsl:import: read rights for %s denied\n",
|
||||
+ URI);
|
||||
goto error;
|
||||
}
|
||||
}
|
||||
diff --git a/libxslt/transform.c b/libxslt/transform.c
|
||||
index 13793914..0636dbd0 100644
|
||||
--- a/libxslt/transform.c
|
||||
+++ b/libxslt/transform.c
|
||||
@@ -3493,10 +3493,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node,
|
||||
*/
|
||||
if (ctxt->sec != NULL) {
|
||||
ret = xsltCheckWrite(ctxt->sec, ctxt, filename);
|
||||
- if (ret == 0) {
|
||||
- xsltTransformError(ctxt, NULL, inst,
|
||||
- "xsltDocumentElem: write rights for %s denied\n",
|
||||
- filename);
|
||||
+ if (ret <= 0) {
|
||||
+ if (ret == 0)
|
||||
+ xsltTransformError(ctxt, NULL, inst,
|
||||
+ "xsltDocumentElem: write rights for %s denied\n",
|
||||
+ filename);
|
||||
xmlFree(URL);
|
||||
xmlFree(filename);
|
||||
return;
|
||||
diff --git a/libxslt/xslt.c b/libxslt/xslt.c
|
||||
index 780a5ad7..a234eb79 100644
|
||||
--- a/libxslt/xslt.c
|
||||
+++ b/libxslt/xslt.c
|
||||
@@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) {
|
||||
int res;
|
||||
|
||||
res = xsltCheckRead(sec, NULL, filename);
|
||||
- if (res == 0) {
|
||||
- xsltTransformError(NULL, NULL, NULL,
|
||||
- "xsltParseStylesheetFile: read rights for %s denied\n",
|
||||
- filename);
|
||||
+ if (res <= 0) {
|
||||
+ if (res == 0)
|
||||
+ xsltTransformError(NULL, NULL, NULL,
|
||||
+ "xsltParseStylesheetFile: read rights for %s denied\n",
|
||||
+ filename);
|
||||
return(NULL);
|
||||
}
|
||||
}
|
||||
--
|
||||
2.18.1
|
||||
|
||||
Loading…
Reference in New Issue