Bug#934329: buster-pu: package libxslt/1.1.32-2.1~deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Hi stable release manager,
I did a NMU upload for libxslt fixing three CVEs. As the veresion in
buster is the same + fixes in unstable I opted for a rebuild for
buster "variant". The issues are no-dsa but they should be fixed at
some point in buster and stretch (the later not yet prepared).
Attached is the resulting debdiff.
Regards,
Salvatore
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
diff -Nru libxslt-1.1.32/debian/changelog libxslt-1.1.32/debian/changelog
--- libxslt-1.1.32/debian/changelog 2018-05-26 23:12:37.000000000 +0200
+++ libxslt-1.1.32/debian/changelog 2019-08-09 21:49:31.000000000 +0200
@@ -1,3 +1,20 @@
+libxslt (1.1.32-2.1~deb10u1) buster; urgency=medium
+
+ * Rebuild for buster
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Fri, 09 Aug 2019 21:49:31 +0200
+
+libxslt (1.1.32-2.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix security framework bypass (CVE-2019-11068) (Closes: #926895, #933743)
+ * Fix uninitialized read of xsl:number token (CVE-2019-13117)
+ (Closes: #931321, #933743)
+ * Fix uninitialized read with UTF-8 grouping chars (CVE-2019-13118)
+ (Closes: #931320, #933743)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Sun, 04 Aug 2019 08:14:05 +0200
+
libxslt (1.1.32-2) unstable; urgency=medium
* Team upload.
diff -Nru libxslt-1.1.32/debian/patches/0006-Fix-security-framework-bypass.patch libxslt-1.1.32/debian/patches/0006-Fix-security-framework-bypass.patch
--- libxslt-1.1.32/debian/patches/0006-Fix-security-framework-bypass.patch 1970-01-01 01:00:00.000000000 +0100
+++ libxslt-1.1.32/debian/patches/0006-Fix-security-framework-bypass.patch 2019-08-04 08:14:05.000000000 +0200
@@ -0,0 +1,124 @@
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sun, 24 Mar 2019 09:51:39 +0100
+Subject: Fix security framework bypass
+Origin: https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-11068
+Bug: https://gitlab.gnome.org/GNOME/libxslt/issues/12
+Bug-Debian: https://bugs.debian.org/926895
+Bug-Debian: https://bugs.debian.org/933743
+
+xsltCheckRead and xsltCheckWrite return -1 in case of error but callers
+don't check for this condition and allow access. With a specially
+crafted URL, xsltCheckRead could be tricked into returning an error
+because of a supposedly invalid URL that would still be loaded
+succesfully later on.
+
+Fixes #12.
+
+Thanks to Felix Wilhelm for the report.
+---
+ libxslt/documents.c | 18 ++++++++++--------
+ libxslt/imports.c | 9 +++++----
+ libxslt/transform.c | 9 +++++----
+ libxslt/xslt.c | 9 +++++----
+ 4 files changed, 25 insertions(+), 20 deletions(-)
+
+diff --git a/libxslt/documents.c b/libxslt/documents.c
+index 3f3a7312ca8e..4aad11bbd1a9 100644
+--- a/libxslt/documents.c
++++ b/libxslt/documents.c
+@@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) {
+ int res;
+
+ res = xsltCheckRead(ctxt->sec, ctxt, URI);
+- if (res == 0) {
+- xsltTransformError(ctxt, NULL, NULL,
+- "xsltLoadDocument: read rights for %s denied\n",
+- URI);
++ if (res <= 0) {
++ if (res == 0)
++ xsltTransformError(ctxt, NULL, NULL,
++ "xsltLoadDocument: read rights for %s denied\n",
++ URI);
+ return(NULL);
+ }
+ }
+@@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) {
+ int res;
+
+ res = xsltCheckRead(sec, NULL, URI);
+- if (res == 0) {
+- xsltTransformError(NULL, NULL, NULL,
+- "xsltLoadStyleDocument: read rights for %s denied\n",
+- URI);
++ if (res <= 0) {
++ if (res == 0)
++ xsltTransformError(NULL, NULL, NULL,
++ "xsltLoadStyleDocument: read rights for %s denied\n",
++ URI);
+ return(NULL);
+ }
+ }
+diff --git a/libxslt/imports.c b/libxslt/imports.c
+index 874870cca90e..3783b2476d9e 100644
+--- a/libxslt/imports.c
++++ b/libxslt/imports.c
+@@ -130,10 +130,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) {
+ int secres;
+
+ secres = xsltCheckRead(sec, NULL, URI);
+- if (secres == 0) {
+- xsltTransformError(NULL, NULL, NULL,
+- "xsl:import: read rights for %s denied\n",
+- URI);
++ if (secres <= 0) {
++ if (secres == 0)
++ xsltTransformError(NULL, NULL, NULL,
++ "xsl:import: read rights for %s denied\n",
++ URI);
+ goto error;
+ }
+ }
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index 13793914f5d3..0636dbd0a242 100644
+--- a/libxslt/transform.c
++++ b/libxslt/transform.c
+@@ -3493,10 +3493,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node,
+ */
+ if (ctxt->sec != NULL) {
+ ret = xsltCheckWrite(ctxt->sec, ctxt, filename);
+- if (ret == 0) {
+- xsltTransformError(ctxt, NULL, inst,
+- "xsltDocumentElem: write rights for %s denied\n",
+- filename);
++ if (ret <= 0) {
++ if (ret == 0)
++ xsltTransformError(ctxt, NULL, inst,
++ "xsltDocumentElem: write rights for %s denied\n",
++ filename);
+ xmlFree(URL);
+ xmlFree(filename);
+ return;
+diff --git a/libxslt/xslt.c b/libxslt/xslt.c
+index 780a5ad75ea9..a234eb79bb53 100644
+--- a/libxslt/xslt.c
++++ b/libxslt/xslt.c
+@@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) {
+ int res;
+
+ res = xsltCheckRead(sec, NULL, filename);
+- if (res == 0) {
+- xsltTransformError(NULL, NULL, NULL,
+- "xsltParseStylesheetFile: read rights for %s denied\n",
+- filename);
++ if (res <= 0) {
++ if (res == 0)
++ xsltTransformError(NULL, NULL, NULL,
++ "xsltParseStylesheetFile: read rights for %s denied\n",
++ filename);
+ return(NULL);
+ }
+ }
+--
+2.20.1
+
diff -Nru libxslt-1.1.32/debian/patches/0007-Fix-uninitialized-read-of-xsl-number-token.patch libxslt-1.1.32/debian/patches/0007-Fix-uninitialized-read-of-xsl-number-token.patch
--- libxslt-1.1.32/debian/patches/0007-Fix-uninitialized-read-of-xsl-number-token.patch 1970-01-01 01:00:00.000000000 +0100
+++ libxslt-1.1.32/debian/patches/0007-Fix-uninitialized-read-of-xsl-number-token.patch 2019-08-04 08:14:05.000000000 +0200
@@ -0,0 +1,32 @@
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 27 Apr 2019 11:19:48 +0200
+Subject: Fix uninitialized read of xsl:number token
+Origin: https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-13117
+Bug-Debian: https://bugs.debian.org/931321
+Bug-Debian: https://bugs.debian.org/933743
+
+Found by OSS-Fuzz.
+---
+ libxslt/numbers.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index 89e1f668b2bd..75c31ebaeb88 100644
+--- a/libxslt/numbers.c
++++ b/libxslt/numbers.c
+@@ -382,7 +382,10 @@ xsltNumberFormatTokenize(const xmlChar *format,
+ tokens->tokens[tokens->nTokens].token = val - 1;
+ ix += len;
+ val = xmlStringCurrentChar(NULL, format+ix, &len);
+- }
++ } else {
++ tokens->tokens[tokens->nTokens].token = (xmlChar)'0';
++ tokens->tokens[tokens->nTokens].width = 1;
++ }
+ } else if ( (val == (xmlChar)'A') ||
+ (val == (xmlChar)'a') ||
+ (val == (xmlChar)'I') ||
+--
+2.20.1
+
diff -Nru libxslt-1.1.32/debian/patches/0008-Fix-uninitialized-read-with-UTF-8-grouping-chars.patch libxslt-1.1.32/debian/patches/0008-Fix-uninitialized-read-with-UTF-8-grouping-chars.patch
--- libxslt-1.1.32/debian/patches/0008-Fix-uninitialized-read-with-UTF-8-grouping-chars.patch 1970-01-01 01:00:00.000000000 +0100
+++ libxslt-1.1.32/debian/patches/0008-Fix-uninitialized-read-with-UTF-8-grouping-chars.patch 2019-08-04 08:14:05.000000000 +0200
@@ -0,0 +1,74 @@
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 3 Jun 2019 13:14:45 +0200
+Subject: Fix uninitialized read with UTF-8 grouping chars
+Origin: https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-13118
+Bug-Debian: https://bugs.debian.org/931320
+Bug-Debian: https://bugs.debian.org/933743
+
+The character type in xsltFormatNumberConversion was too narrow and
+an invalid character/length combination could be passed to
+xsltNumberFormatDecimal, resulting in an uninitialized read.
+
+Found by OSS-Fuzz.
+---
+ libxslt/numbers.c | 5 +++--
+ tests/docs/bug-222.xml | 1 +
+ tests/general/bug-222.out | 2 ++
+ tests/general/bug-222.xsl | 6 ++++++
+ 4 files changed, 12 insertions(+), 2 deletions(-)
+ create mode 100644 tests/docs/bug-222.xml
+ create mode 100644 tests/general/bug-222.out
+ create mode 100644 tests/general/bug-222.xsl
+
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index f1ed88468257..20b99d5adef0 100644
+--- a/libxslt/numbers.c
++++ b/libxslt/numbers.c
+@@ -1298,13 +1298,14 @@ OUTPUT_NUMBER:
+ number = floor((scale * number + 0.5)) / scale;
+ if ((self->grouping != NULL) &&
+ (self->grouping[0] != 0)) {
++ int gchar;
+
+ len = xmlStrlen(self->grouping);
+- pchar = xsltGetUTF8Char(self->grouping, &len);
++ gchar = xsltGetUTF8Char(self->grouping, &len);
+ xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
+ format_info.integer_digits,
+ format_info.group,
+- pchar, len);
++ gchar, len);
+ } else
+ xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
+ format_info.integer_digits,
+diff --git a/tests/docs/bug-222.xml b/tests/docs/bug-222.xml
+new file mode 100644
+index 000000000000..69d62f2c9aef
+--- /dev/null
++++ b/tests/docs/bug-222.xml
+@@ -0,0 +1 @@
++<doc/>
+diff --git a/tests/general/bug-222.out b/tests/general/bug-222.out
+new file mode 100644
+index 000000000000..e3139698eb49
+--- /dev/null
++++ b/tests/general/bug-222.out
+@@ -0,0 +1,2 @@
++<?xml version="1.0"?>
++1⠢0
+diff --git a/tests/general/bug-222.xsl b/tests/general/bug-222.xsl
+new file mode 100644
+index 000000000000..e32dc47337cb
+--- /dev/null
++++ b/tests/general/bug-222.xsl
+@@ -0,0 +1,6 @@
++<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
++ <xsl:decimal-format name="f" grouping-separator="⠢"/>
++ <xsl:template match="/">
++ <xsl:value-of select="format-number(10,'#⠢0','f')"/>
++ </xsl:template>
++</xsl:stylesheet>
+--
+2.20.1
+
diff -Nru libxslt-1.1.32/debian/patches/series libxslt-1.1.32/debian/patches/series
--- libxslt-1.1.32/debian/patches/series 2018-05-26 13:46:33.000000000 +0200
+++ libxslt-1.1.32/debian/patches/series 2019-08-04 08:14:05.000000000 +0200
@@ -3,3 +3,6 @@
0003-fix-typo.patch
0004-Make-generate-id-deterministic.patch
0005-remove-plugin-in-xslt-config.patch
+0006-Fix-security-framework-bypass.patch
+0007-Fix-uninitialized-read-of-xsl-number-token.patch
+0008-Fix-uninitialized-read-with-UTF-8-grouping-chars.patch
Reply to: