--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu: package libxslt/1.1.28-2+deb8u3
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Fri, 14 Apr 2017 08:36:59 +0200
- Message-id: <149215181928.30587.3576443691804770964.reportbug@lorien.valinor.li>
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Hi
Given the next jessie point release is approaching I would like to
propose a fix for CVE-2017-5029, #858546 via the upcoming point
release.
Attached is the full debdiff.
The debian/changelog reads as
+libxslt (1.1.28-2+deb8u3) jessie; urgency=medium
+
+ * Non-maintainer upload.
+ * Check for integer overflow in xsltAddTextString (CVE-2017-5029)
+ (Closes: #858546)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Fri, 14 Apr 2017 08:28:09 +0200
Regards,
Salvatore
diff -Nru libxslt-1.1.28/debian/changelog libxslt-1.1.28/debian/changelog
--- libxslt-1.1.28/debian/changelog 2016-11-06 21:43:39.000000000 +0100
+++ libxslt-1.1.28/debian/changelog 2017-04-14 08:28:09.000000000 +0200
@@ -1,3 +1,11 @@
+libxslt (1.1.28-2+deb8u3) jessie; urgency=medium
+
+ * Non-maintainer upload.
+ * Check for integer overflow in xsltAddTextString (CVE-2017-5029)
+ (Closes: #858546)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Fri, 14 Apr 2017 08:28:09 +0200
+
libxslt (1.1.28-2+deb8u2) jessie-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru libxslt-1.1.28/debian/patches/0021-Check-for-integer-overflow-in-xsltAddTextString.patch libxslt-1.1.28/debian/patches/0021-Check-for-integer-overflow-in-xsltAddTextString.patch
--- libxslt-1.1.28/debian/patches/0021-Check-for-integer-overflow-in-xsltAddTextString.patch 1970-01-01 01:00:00.000000000 +0100
+++ libxslt-1.1.28/debian/patches/0021-Check-for-integer-overflow-in-xsltAddTextString.patch 2017-04-14 08:28:09.000000000 +0200
@@ -0,0 +1,74 @@
+From 08ab2774b870de1c7b5a48693df75e8154addae5 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 12 Jan 2017 15:39:52 +0100
+Subject: [PATCH] Check for integer overflow in xsltAddTextString
+
+Limit buffer size in xsltAddTextString to INT_MAX. The issue can be
+exploited to trigger an out of bounds write on 64-bit systems.
+
+Originally reported to Chromium:
+
+https://crbug.com/676623
+---
+ libxslt/transform.c | 25 ++++++++++++++++++++++---
+ libxslt/xsltInternals.h | 4 ++--
+ 2 files changed, 24 insertions(+), 5 deletions(-)
+
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index 519133fc..02bff34a 100644
+--- a/libxslt/transform.c
++++ b/libxslt/transform.c
+@@ -813,13 +813,32 @@ xsltAddTextString(xsltTransformContextPtr ctxt, xmlNodePtr target,
+ return(target);
+
+ if (ctxt->lasttext == target->content) {
++ int minSize;
+
+- if (ctxt->lasttuse + len >= ctxt->lasttsize) {
++ /* Check for integer overflow accounting for NUL terminator. */
++ if (len >= INT_MAX - ctxt->lasttuse) {
++ xsltTransformError(ctxt, NULL, target,
++ "xsltCopyText: text allocation failed\n");
++ return(NULL);
++ }
++ minSize = ctxt->lasttuse + len + 1;
++
++ if (ctxt->lasttsize < minSize) {
+ xmlChar *newbuf;
+ int size;
++ int extra;
++
++ /* Double buffer size but increase by at least 100 bytes. */
++ extra = minSize < 100 ? 100 : minSize;
++
++ /* Check for integer overflow. */
++ if (extra > INT_MAX - ctxt->lasttsize) {
++ size = INT_MAX;
++ }
++ else {
++ size = ctxt->lasttsize + extra;
++ }
+
+- size = ctxt->lasttsize + len + 100;
+- size *= 2;
+ newbuf = (xmlChar *) xmlRealloc(target->content,size);
+ if (newbuf == NULL) {
+ xsltTransformError(ctxt, NULL, target,
+diff --git a/libxslt/xsltInternals.h b/libxslt/xsltInternals.h
+index 060b1783..5ad17719 100644
+--- a/libxslt/xsltInternals.h
++++ b/libxslt/xsltInternals.h
+@@ -1754,8 +1754,8 @@ struct _xsltTransformContext {
+ * Speed optimization when coalescing text nodes
+ */
+ const xmlChar *lasttext; /* last text node content */
+- unsigned int lasttsize; /* last text node size */
+- unsigned int lasttuse; /* last text node use */
++ int lasttsize; /* last text node size */
++ int lasttuse; /* last text node use */
+ /*
+ * Per Context Debugging
+ */
+--
+2.11.0
+
diff -Nru libxslt-1.1.28/debian/patches/series libxslt-1.1.28/debian/patches/series
--- libxslt-1.1.28/debian/patches/series 2016-11-06 21:43:39.000000000 +0100
+++ libxslt-1.1.28/debian/patches/series 2017-04-14 08:28:09.000000000 +0200
@@ -18,3 +18,4 @@
0018-Fix-buffer-overflow-in-exsltDateFormat.patch
0019-Fix-OOB-heap-read-in-xsltExtModuleRegisterDynamic.patch
0020-Fix-heap-overread-in-xsltFormatNumberConversion.patch
+0021-Check-for-integer-overflow-in-xsltAddTextString.patch
--- End Message ---