[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#934329: marked as done (buster-pu: package libxslt/1.1.32-2.1~deb10u1)



Your message dated Sat, 07 Sep 2019 14:34:49 +0100
with message-id <[🔎] f49e2985d8466065c49c03185c24465a32228fb5.camel@adam-barratt.org.uk>
and subject line Closing bugs for fixes including in 10.1 point release
has caused the Debian Bug report #934329,
regarding buster-pu: package libxslt/1.1.32-2.1~deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
934329: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934329
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Hi stable release manager,

I did a NMU upload for libxslt fixing three CVEs. As the veresion in
buster is the same + fixes in unstable I opted for a rebuild for
buster "variant". The issues are no-dsa but they should be fixed at
some point in buster and stretch (the later not yet prepared).

Attached is the resulting debdiff.

Regards,
Salvatore

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
diff -Nru libxslt-1.1.32/debian/changelog libxslt-1.1.32/debian/changelog
--- libxslt-1.1.32/debian/changelog	2018-05-26 23:12:37.000000000 +0200
+++ libxslt-1.1.32/debian/changelog	2019-08-09 21:49:31.000000000 +0200
@@ -1,3 +1,20 @@
+libxslt (1.1.32-2.1~deb10u1) buster; urgency=medium
+
+  * Rebuild for buster 
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Fri, 09 Aug 2019 21:49:31 +0200
+
+libxslt (1.1.32-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix security framework bypass (CVE-2019-11068) (Closes: #926895, #933743)
+  * Fix uninitialized read of xsl:number token (CVE-2019-13117)
+    (Closes: #931321, #933743)
+  * Fix uninitialized read with UTF-8 grouping chars (CVE-2019-13118)
+    (Closes: #931320, #933743)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sun, 04 Aug 2019 08:14:05 +0200
+
 libxslt (1.1.32-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru libxslt-1.1.32/debian/patches/0006-Fix-security-framework-bypass.patch libxslt-1.1.32/debian/patches/0006-Fix-security-framework-bypass.patch
--- libxslt-1.1.32/debian/patches/0006-Fix-security-framework-bypass.patch	1970-01-01 01:00:00.000000000 +0100
+++ libxslt-1.1.32/debian/patches/0006-Fix-security-framework-bypass.patch	2019-08-04 08:14:05.000000000 +0200
@@ -0,0 +1,124 @@
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sun, 24 Mar 2019 09:51:39 +0100
+Subject: Fix security framework bypass
+Origin: https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-11068
+Bug: https://gitlab.gnome.org/GNOME/libxslt/issues/12
+Bug-Debian: https://bugs.debian.org/926895
+Bug-Debian: https://bugs.debian.org/933743
+
+xsltCheckRead and xsltCheckWrite return -1 in case of error but callers
+don't check for this condition and allow access. With a specially
+crafted URL, xsltCheckRead could be tricked into returning an error
+because of a supposedly invalid URL that would still be loaded
+succesfully later on.
+
+Fixes #12.
+
+Thanks to Felix Wilhelm for the report.
+---
+ libxslt/documents.c | 18 ++++++++++--------
+ libxslt/imports.c   |  9 +++++----
+ libxslt/transform.c |  9 +++++----
+ libxslt/xslt.c      |  9 +++++----
+ 4 files changed, 25 insertions(+), 20 deletions(-)
+
+diff --git a/libxslt/documents.c b/libxslt/documents.c
+index 3f3a7312ca8e..4aad11bbd1a9 100644
+--- a/libxslt/documents.c
++++ b/libxslt/documents.c
+@@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) {
+ 	int res;
+ 
+ 	res = xsltCheckRead(ctxt->sec, ctxt, URI);
+-	if (res == 0) {
+-	    xsltTransformError(ctxt, NULL, NULL,
+-		 "xsltLoadDocument: read rights for %s denied\n",
+-			     URI);
++	if (res <= 0) {
++            if (res == 0)
++                xsltTransformError(ctxt, NULL, NULL,
++                     "xsltLoadDocument: read rights for %s denied\n",
++                                 URI);
+ 	    return(NULL);
+ 	}
+     }
+@@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) {
+ 	int res;
+ 
+ 	res = xsltCheckRead(sec, NULL, URI);
+-	if (res == 0) {
+-	    xsltTransformError(NULL, NULL, NULL,
+-		 "xsltLoadStyleDocument: read rights for %s denied\n",
+-			     URI);
++	if (res <= 0) {
++            if (res == 0)
++                xsltTransformError(NULL, NULL, NULL,
++                     "xsltLoadStyleDocument: read rights for %s denied\n",
++                                 URI);
+ 	    return(NULL);
+ 	}
+     }
+diff --git a/libxslt/imports.c b/libxslt/imports.c
+index 874870cca90e..3783b2476d9e 100644
+--- a/libxslt/imports.c
++++ b/libxslt/imports.c
+@@ -130,10 +130,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) {
+ 	int secres;
+ 
+ 	secres = xsltCheckRead(sec, NULL, URI);
+-	if (secres == 0) {
+-	    xsltTransformError(NULL, NULL, NULL,
+-		 "xsl:import: read rights for %s denied\n",
+-			     URI);
++	if (secres <= 0) {
++            if (secres == 0)
++                xsltTransformError(NULL, NULL, NULL,
++                     "xsl:import: read rights for %s denied\n",
++                                 URI);
+ 	    goto error;
+ 	}
+     }
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index 13793914f5d3..0636dbd0a242 100644
+--- a/libxslt/transform.c
++++ b/libxslt/transform.c
+@@ -3493,10 +3493,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node,
+      */
+     if (ctxt->sec != NULL) {
+ 	ret = xsltCheckWrite(ctxt->sec, ctxt, filename);
+-	if (ret == 0) {
+-	    xsltTransformError(ctxt, NULL, inst,
+-		 "xsltDocumentElem: write rights for %s denied\n",
+-			     filename);
++	if (ret <= 0) {
++            if (ret == 0)
++                xsltTransformError(ctxt, NULL, inst,
++                     "xsltDocumentElem: write rights for %s denied\n",
++                                 filename);
+ 	    xmlFree(URL);
+ 	    xmlFree(filename);
+ 	    return;
+diff --git a/libxslt/xslt.c b/libxslt/xslt.c
+index 780a5ad75ea9..a234eb79bb53 100644
+--- a/libxslt/xslt.c
++++ b/libxslt/xslt.c
+@@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) {
+ 	int res;
+ 
+ 	res = xsltCheckRead(sec, NULL, filename);
+-	if (res == 0) {
+-	    xsltTransformError(NULL, NULL, NULL,
+-		 "xsltParseStylesheetFile: read rights for %s denied\n",
+-			     filename);
++	if (res <= 0) {
++            if (res == 0)
++                xsltTransformError(NULL, NULL, NULL,
++                     "xsltParseStylesheetFile: read rights for %s denied\n",
++                                 filename);
+ 	    return(NULL);
+ 	}
+     }
+-- 
+2.20.1
+
diff -Nru libxslt-1.1.32/debian/patches/0007-Fix-uninitialized-read-of-xsl-number-token.patch libxslt-1.1.32/debian/patches/0007-Fix-uninitialized-read-of-xsl-number-token.patch
--- libxslt-1.1.32/debian/patches/0007-Fix-uninitialized-read-of-xsl-number-token.patch	1970-01-01 01:00:00.000000000 +0100
+++ libxslt-1.1.32/debian/patches/0007-Fix-uninitialized-read-of-xsl-number-token.patch	2019-08-04 08:14:05.000000000 +0200
@@ -0,0 +1,32 @@
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 27 Apr 2019 11:19:48 +0200
+Subject: Fix uninitialized read of xsl:number token
+Origin: https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-13117
+Bug-Debian: https://bugs.debian.org/931321
+Bug-Debian: https://bugs.debian.org/933743
+
+Found by OSS-Fuzz.
+---
+ libxslt/numbers.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index 89e1f668b2bd..75c31ebaeb88 100644
+--- a/libxslt/numbers.c
++++ b/libxslt/numbers.c
+@@ -382,7 +382,10 @@ xsltNumberFormatTokenize(const xmlChar *format,
+ 		tokens->tokens[tokens->nTokens].token = val - 1;
+ 		ix += len;
+ 		val = xmlStringCurrentChar(NULL, format+ix, &len);
+-	    }
++	    } else {
++                tokens->tokens[tokens->nTokens].token = (xmlChar)'0';
++                tokens->tokens[tokens->nTokens].width = 1;
++            }
+ 	} else if ( (val == (xmlChar)'A') ||
+ 		    (val == (xmlChar)'a') ||
+ 		    (val == (xmlChar)'I') ||
+-- 
+2.20.1
+
diff -Nru libxslt-1.1.32/debian/patches/0008-Fix-uninitialized-read-with-UTF-8-grouping-chars.patch libxslt-1.1.32/debian/patches/0008-Fix-uninitialized-read-with-UTF-8-grouping-chars.patch
--- libxslt-1.1.32/debian/patches/0008-Fix-uninitialized-read-with-UTF-8-grouping-chars.patch	1970-01-01 01:00:00.000000000 +0100
+++ libxslt-1.1.32/debian/patches/0008-Fix-uninitialized-read-with-UTF-8-grouping-chars.patch	2019-08-04 08:14:05.000000000 +0200
@@ -0,0 +1,74 @@
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 3 Jun 2019 13:14:45 +0200
+Subject: Fix uninitialized read with UTF-8 grouping chars
+Origin: https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-13118
+Bug-Debian: https://bugs.debian.org/931320
+Bug-Debian: https://bugs.debian.org/933743
+
+The character type in xsltFormatNumberConversion was too narrow and
+an invalid character/length combination could be passed to
+xsltNumberFormatDecimal, resulting in an uninitialized read.
+
+Found by OSS-Fuzz.
+---
+ libxslt/numbers.c         | 5 +++--
+ tests/docs/bug-222.xml    | 1 +
+ tests/general/bug-222.out | 2 ++
+ tests/general/bug-222.xsl | 6 ++++++
+ 4 files changed, 12 insertions(+), 2 deletions(-)
+ create mode 100644 tests/docs/bug-222.xml
+ create mode 100644 tests/general/bug-222.out
+ create mode 100644 tests/general/bug-222.xsl
+
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index f1ed88468257..20b99d5adef0 100644
+--- a/libxslt/numbers.c
++++ b/libxslt/numbers.c
+@@ -1298,13 +1298,14 @@ OUTPUT_NUMBER:
+     number = floor((scale * number + 0.5)) / scale;
+     if ((self->grouping != NULL) &&
+         (self->grouping[0] != 0)) {
++        int gchar;
+ 
+ 	len = xmlStrlen(self->grouping);
+-	pchar = xsltGetUTF8Char(self->grouping, &len);
++	gchar = xsltGetUTF8Char(self->grouping, &len);
+ 	xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
+ 				format_info.integer_digits,
+ 				format_info.group,
+-				pchar, len);
++				gchar, len);
+     } else
+ 	xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
+ 				format_info.integer_digits,
+diff --git a/tests/docs/bug-222.xml b/tests/docs/bug-222.xml
+new file mode 100644
+index 000000000000..69d62f2c9aef
+--- /dev/null
++++ b/tests/docs/bug-222.xml
+@@ -0,0 +1 @@
++<doc/>
+diff --git a/tests/general/bug-222.out b/tests/general/bug-222.out
+new file mode 100644
+index 000000000000..e3139698eb49
+--- /dev/null
++++ b/tests/general/bug-222.out
+@@ -0,0 +1,2 @@
++<?xml version="1.0"?>
++1⠢0
+diff --git a/tests/general/bug-222.xsl b/tests/general/bug-222.xsl
+new file mode 100644
+index 000000000000..e32dc47337cb
+--- /dev/null
++++ b/tests/general/bug-222.xsl
+@@ -0,0 +1,6 @@
++<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"; version="1.0">
++  <xsl:decimal-format name="f" grouping-separator="⠢"/>
++  <xsl:template match="/">
++    <xsl:value-of select="format-number(10,'#⠢0','f')"/>
++  </xsl:template>
++</xsl:stylesheet>
+-- 
+2.20.1
+
diff -Nru libxslt-1.1.32/debian/patches/series libxslt-1.1.32/debian/patches/series
--- libxslt-1.1.32/debian/patches/series	2018-05-26 13:46:33.000000000 +0200
+++ libxslt-1.1.32/debian/patches/series	2019-08-04 08:14:05.000000000 +0200
@@ -3,3 +3,6 @@
 0003-fix-typo.patch
 0004-Make-generate-id-deterministic.patch
 0005-remove-plugin-in-xslt-config.patch
+0006-Fix-security-framework-bypass.patch
+0007-Fix-uninitialized-read-of-xsl-number-token.patch
+0008-Fix-uninitialized-read-with-UTF-8-grouping-chars.patch

--- End Message ---
--- Begin Message ---
Version: 10.1

Hi,

The fixes referenced by each of these bugs were included in today's
buster point release.

Regards,

Adam

--- End Message ---

Reply to: