Bug#946159: stretch-pu: package libxslt/1.1.29-2.1+deb9u2
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hi
This update adresses CVE-2019-18197 as well for stretch (was alredy
done for buster in the last point release). Attaching the resulting
debdiff.
Regards,
Salvatore
diff -Nru libxslt-1.1.29/debian/changelog libxslt-1.1.29/debian/changelog
--- libxslt-1.1.29/debian/changelog 2019-08-24 14:04:13.000000000 +0200
+++ libxslt-1.1.29/debian/changelog 2019-12-04 15:41:16.000000000 +0100
@@ -1,3 +1,10 @@
+libxslt (1.1.29-2.1+deb9u2) stretch; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix dangling pointer in xsltCopyText (CVE-2019-18197) (Closes: #942646)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Wed, 04 Dec 2019 15:41:16 +0100
+
libxslt (1.1.29-2.1+deb9u1) stretch; urgency=medium
* Non-maintainer upload.
diff -Nru libxslt-1.1.29/debian/patches/0012-Fix-dangling-pointer-in-xsltCopyText.patch libxslt-1.1.29/debian/patches/0012-Fix-dangling-pointer-in-xsltCopyText.patch
--- libxslt-1.1.29/debian/patches/0012-Fix-dangling-pointer-in-xsltCopyText.patch 1970-01-01 01:00:00.000000000 +0100
+++ libxslt-1.1.29/debian/patches/0012-Fix-dangling-pointer-in-xsltCopyText.patch 2019-12-04 15:41:16.000000000 +0100
@@ -0,0 +1,35 @@
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 17 Aug 2019 16:51:53 +0200
+Subject: Fix dangling pointer in xsltCopyText
+Origin: https://gitlab.gnome.org/GNOME/libxslt/commit/2232473733b7313d67de8836ea3b29eec6e8e285
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-18197
+Bug-Debian: https://bugs.debian.org/942646
+Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15746
+Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15768
+Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15914
+
+xsltCopyText didn't reset ctxt->lasttext in some cases which could
+lead to various memory errors in relation with CDATA sections in input
+documents.
+
+Found by OSS-Fuzz.
+---
+ libxslt/transform.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index 95ebd0732f95..d7ab0b6677cc 100644
+--- a/libxslt/transform.c
++++ b/libxslt/transform.c
+@@ -1094,6 +1094,8 @@ xsltCopyText(xsltTransformContextPtr ctxt, xmlNodePtr target,
+ if ((copy->content = xmlStrdup(cur->content)) == NULL)
+ return NULL;
+ }
++
++ ctxt->lasttext = NULL;
+ } else {
+ /*
+ * normal processing. keep counters to extend the text node
+--
+2.20.1
+
diff -Nru libxslt-1.1.29/debian/patches/series libxslt-1.1.29/debian/patches/series
--- libxslt-1.1.29/debian/patches/series 2019-08-24 14:04:13.000000000 +0200
+++ libxslt-1.1.29/debian/patches/series 2019-12-04 15:41:16.000000000 +0100
@@ -9,3 +9,4 @@
0009-Fix-security-framework-bypass.patch
0010-Fix-uninitialized-read-of-xsl-number-token.patch
0011-Fix-uninitialized-read-with-UTF-8-grouping-chars.patch
+0012-Fix-dangling-pointer-in-xsltCopyText.patch
Reply to: