Bug#944064: buster-pu: package libxslt/1.1.32-2.2~deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Hi SRM'ers
libxslt is affected by CVE-2019-18197 and the issue was fixed in
unstable via the NMU 1.1.32-2.2 cherry picking the upstream commit. As
per previous upload here the simplest seem to be to do a rebuild of
1.1.32-2.2 for buster, versioned as 1.1.32-2.2~deb10u1.
Attached the full resulting debdiff against the current
1.1.32-2.1~deb10u1 in buster.
Regards,
Salvatore
diff -Nru libxslt-1.1.32/debian/changelog libxslt-1.1.32/debian/changelog
--- libxslt-1.1.32/debian/changelog 2019-08-09 21:49:31.000000000 +0200
+++ libxslt-1.1.32/debian/changelog 2019-11-03 17:11:47.000000000 +0100
@@ -1,8 +1,15 @@
-libxslt (1.1.32-2.1~deb10u1) buster; urgency=medium
+libxslt (1.1.32-2.2~deb10u1) buster; urgency=medium
* Rebuild for buster
- -- Salvatore Bonaccorso <carnil@debian.org> Fri, 09 Aug 2019 21:49:31 +0200
+ -- Salvatore Bonaccorso <carnil@debian.org> Sun, 03 Nov 2019 17:11:47 +0100
+
+libxslt (1.1.32-2.2) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix dangling pointer in xsltCopyText (CVE-2019-18197) (Closes: #942646)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Sat, 19 Oct 2019 21:21:23 +0200
libxslt (1.1.32-2.1) unstable; urgency=medium
diff -Nru libxslt-1.1.32/debian/patches/0009-Fix-dangling-pointer-in-xsltCopyText.patch libxslt-1.1.32/debian/patches/0009-Fix-dangling-pointer-in-xsltCopyText.patch
--- libxslt-1.1.32/debian/patches/0009-Fix-dangling-pointer-in-xsltCopyText.patch 1970-01-01 01:00:00.000000000 +0100
+++ libxslt-1.1.32/debian/patches/0009-Fix-dangling-pointer-in-xsltCopyText.patch 2019-10-19 21:21:23.000000000 +0200
@@ -0,0 +1,35 @@
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 17 Aug 2019 16:51:53 +0200
+Subject: Fix dangling pointer in xsltCopyText
+Origin: https://gitlab.gnome.org/GNOME/libxslt/commit/2232473733b7313d67de8836ea3b29eec6e8e285
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-18197
+Bug-Debian: https://bugs.debian.org/942646
+Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15746
+Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15768
+Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15914
+
+xsltCopyText didn't reset ctxt->lasttext in some cases which could
+lead to various memory errors in relation with CDATA sections in input
+documents.
+
+Found by OSS-Fuzz.
+---
+ libxslt/transform.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index 95ebd0732f95..d7ab0b6677cc 100644
+--- a/libxslt/transform.c
++++ b/libxslt/transform.c
+@@ -1094,6 +1094,8 @@ xsltCopyText(xsltTransformContextPtr ctxt, xmlNodePtr target,
+ if ((copy->content = xmlStrdup(cur->content)) == NULL)
+ return NULL;
+ }
++
++ ctxt->lasttext = NULL;
+ } else {
+ /*
+ * normal processing. keep counters to extend the text node
+--
+2.20.1
+
diff -Nru libxslt-1.1.32/debian/patches/series libxslt-1.1.32/debian/patches/series
--- libxslt-1.1.32/debian/patches/series 2019-08-04 08:14:05.000000000 +0200
+++ libxslt-1.1.32/debian/patches/series 2019-10-19 21:21:23.000000000 +0200
@@ -6,3 +6,4 @@
0006-Fix-security-framework-bypass.patch
0007-Fix-uninitialized-read-of-xsl-number-token.patch
0008-Fix-uninitialized-read-with-UTF-8-grouping-chars.patch
+0009-Fix-dangling-pointer-in-xsltCopyText.patch
Reply to: