[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#860289: marked as done (jessie-pu: package libxslt/1.1.28-2+deb8u3)

Your message dated Sat, 06 May 2017 14:44:18 +0100
with message-id <1494078258.26551.13.camel@adam-barratt.org.uk>
and subject line Closing bugs for updates included in 8.8
has caused the Debian Bug report #860289,
regarding jessie-pu: package libxslt/1.1.28-2+deb8u3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
860289: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860289
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hi

Given the next jessie point release is approaching I would like to
propose a fix for CVE-2017-5029, #858546 via the upcoming point
release.

Attached is the full debdiff.

The debian/changelog reads as

+libxslt (1.1.28-2+deb8u3) jessie; urgency=medium
+
+  * Non-maintainer upload.
+  * Check for integer overflow in xsltAddTextString (CVE-2017-5029)
+    (Closes: #858546)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Fri, 14 Apr 2017 08:28:09 +0200

Regards,
Salvatore

diff -Nru libxslt-1.1.28/debian/changelog libxslt-1.1.28/debian/changelog
--- libxslt-1.1.28/debian/changelog	2016-11-06 21:43:39.000000000 +0100
+++ libxslt-1.1.28/debian/changelog	2017-04-14 08:28:09.000000000 +0200
@@ -1,3 +1,11 @@
+libxslt (1.1.28-2+deb8u3) jessie; urgency=medium
+
+  * Non-maintainer upload.
+  * Check for integer overflow in xsltAddTextString (CVE-2017-5029)
+    (Closes: #858546)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Fri, 14 Apr 2017 08:28:09 +0200
+
 libxslt (1.1.28-2+deb8u2) jessie-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru libxslt-1.1.28/debian/patches/0021-Check-for-integer-overflow-in-xsltAddTextString.patch libxslt-1.1.28/debian/patches/0021-Check-for-integer-overflow-in-xsltAddTextString.patch
--- libxslt-1.1.28/debian/patches/0021-Check-for-integer-overflow-in-xsltAddTextString.patch	1970-01-01 01:00:00.000000000 +0100
+++ libxslt-1.1.28/debian/patches/0021-Check-for-integer-overflow-in-xsltAddTextString.patch	2017-04-14 08:28:09.000000000 +0200
@@ -0,0 +1,74 @@
+From 08ab2774b870de1c7b5a48693df75e8154addae5 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 12 Jan 2017 15:39:52 +0100
+Subject: [PATCH] Check for integer overflow in xsltAddTextString
+
+Limit buffer size in xsltAddTextString to INT_MAX. The issue can be
+exploited to trigger an out of bounds write on 64-bit systems.
+
+Originally reported to Chromium:
+
+https://crbug.com/676623
+---
+ libxslt/transform.c     | 25 ++++++++++++++++++++++---
+ libxslt/xsltInternals.h |  4 ++--
+ 2 files changed, 24 insertions(+), 5 deletions(-)
+
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index 519133fc..02bff34a 100644
+--- a/libxslt/transform.c
++++ b/libxslt/transform.c
+@@ -813,13 +813,32 @@ xsltAddTextString(xsltTransformContextPtr ctxt, xmlNodePtr target,
+         return(target);
+ 
+     if (ctxt->lasttext == target->content) {
++        int minSize;
+ 
+-	if (ctxt->lasttuse + len >= ctxt->lasttsize) {
++        /* Check for integer overflow accounting for NUL terminator. */
++        if (len >= INT_MAX - ctxt->lasttuse) {
++            xsltTransformError(ctxt, NULL, target,
++                "xsltCopyText: text allocation failed\n");
++            return(NULL);
++        }
++        minSize = ctxt->lasttuse + len + 1;
++
++        if (ctxt->lasttsize < minSize) {
+ 	    xmlChar *newbuf;
+ 	    int size;
++            int extra;
++
++            /* Double buffer size but increase by at least 100 bytes. */
++            extra = minSize < 100 ? 100 : minSize;
++
++            /* Check for integer overflow. */
++            if (extra > INT_MAX - ctxt->lasttsize) {
++                size = INT_MAX;
++            }
++            else {
++                size = ctxt->lasttsize + extra;
++            }
+ 
+-	    size = ctxt->lasttsize + len + 100;
+-	    size *= 2;
+ 	    newbuf = (xmlChar *) xmlRealloc(target->content,size);
+ 	    if (newbuf == NULL) {
+ 		xsltTransformError(ctxt, NULL, target,
+diff --git a/libxslt/xsltInternals.h b/libxslt/xsltInternals.h
+index 060b1783..5ad17719 100644
+--- a/libxslt/xsltInternals.h
++++ b/libxslt/xsltInternals.h
+@@ -1754,8 +1754,8 @@ struct _xsltTransformContext {
+      * Speed optimization when coalescing text nodes
+      */
+     const xmlChar  *lasttext;		/* last text node content */
+-    unsigned int    lasttsize;		/* last text node size */
+-    unsigned int    lasttuse;		/* last text node use */
++    int             lasttsize;		/* last text node size */
++    int             lasttuse;		/* last text node use */
+     /*
+      * Per Context Debugging
+      */
+-- 
+2.11.0
+
diff -Nru libxslt-1.1.28/debian/patches/series libxslt-1.1.28/debian/patches/series
--- libxslt-1.1.28/debian/patches/series	2016-11-06 21:43:39.000000000 +0100
+++ libxslt-1.1.28/debian/patches/series	2017-04-14 08:28:09.000000000 +0200
@@ -18,3 +18,4 @@
 0018-Fix-buffer-overflow-in-exsltDateFormat.patch
 0019-Fix-OOB-heap-read-in-xsltExtModuleRegisterDynamic.patch
 0020-Fix-heap-overread-in-xsltFormatNumberConversion.patch
+0021-Check-for-integer-overflow-in-xsltAddTextString.patch

--- End Message ---
--- Begin Message --- 
Version: 8.8

Hi,

Each of these bugs refers to an update that was included in today's
jessie point release. Thanks!

Regards,

Adam

--- End Message ---
Reply to: