Bug#935599: stretch-pu: package libxslt/1.1.29-2.1+deb9u1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hi SRM,
I preapred a NMU for libxslt incorporating fixes for three CVEs which
are no-dsa but would be good to have fixed as well in stretch
following the fixes for unstable and buster. The debdiff is attached.
Could you consider it as well for the next stretch point release?
Regards,
Salvatore
diff -Nru libxslt-1.1.29/debian/changelog libxslt-1.1.29/debian/changelog
--- libxslt-1.1.29/debian/changelog 2017-03-26 19:44:01.000000000 +0200
+++ libxslt-1.1.29/debian/changelog 2019-08-24 14:04:13.000000000 +0200
@@ -1,3 +1,14 @@
+libxslt (1.1.29-2.1+deb9u1) stretch; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix security framework bypass (CVE-2019-11068) (Closes: #926895, #933743)
+ * Fix uninitialized read of xsl:number token (CVE-2019-13117)
+ (Closes: #931321, #933743)
+ * Fix uninitialized read with UTF-8 grouping chars (CVE-2019-13118)
+ (Closes: #931320, #933743)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Sat, 24 Aug 2019 14:04:13 +0200
+
libxslt (1.1.29-2.1) unstable; urgency=high
* Non-maintainer upload.
diff -Nru libxslt-1.1.29/debian/patches/0009-Fix-security-framework-bypass.patch libxslt-1.1.29/debian/patches/0009-Fix-security-framework-bypass.patch
--- libxslt-1.1.29/debian/patches/0009-Fix-security-framework-bypass.patch 1970-01-01 01:00:00.000000000 +0100
+++ libxslt-1.1.29/debian/patches/0009-Fix-security-framework-bypass.patch 2019-08-24 14:04:13.000000000 +0200
@@ -0,0 +1,124 @@
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sun, 24 Mar 2019 09:51:39 +0100
+Subject: Fix security framework bypass
+Origin: https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-11068
+Bug: https://gitlab.gnome.org/GNOME/libxslt/issues/12
+Bug-Debian: https://bugs.debian.org/926895
+Bug-Debian: https://bugs.debian.org/933743
+
+xsltCheckRead and xsltCheckWrite return -1 in case of error but callers
+don't check for this condition and allow access. With a specially
+crafted URL, xsltCheckRead could be tricked into returning an error
+because of a supposedly invalid URL that would still be loaded
+succesfully later on.
+
+Fixes #12.
+
+Thanks to Felix Wilhelm for the report.
+---
+ libxslt/documents.c | 18 ++++++++++--------
+ libxslt/imports.c | 9 +++++----
+ libxslt/transform.c | 9 +++++----
+ libxslt/xslt.c | 9 +++++----
+ 4 files changed, 25 insertions(+), 20 deletions(-)
+
+diff --git a/libxslt/documents.c b/libxslt/documents.c
+index 3f3a7312ca8e..4aad11bbd1a9 100644
+--- a/libxslt/documents.c
++++ b/libxslt/documents.c
+@@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) {
+ int res;
+
+ res = xsltCheckRead(ctxt->sec, ctxt, URI);
+- if (res == 0) {
+- xsltTransformError(ctxt, NULL, NULL,
+- "xsltLoadDocument: read rights for %s denied\n",
+- URI);
++ if (res <= 0) {
++ if (res == 0)
++ xsltTransformError(ctxt, NULL, NULL,
++ "xsltLoadDocument: read rights for %s denied\n",
++ URI);
+ return(NULL);
+ }
+ }
+@@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) {
+ int res;
+
+ res = xsltCheckRead(sec, NULL, URI);
+- if (res == 0) {
+- xsltTransformError(NULL, NULL, NULL,
+- "xsltLoadStyleDocument: read rights for %s denied\n",
+- URI);
++ if (res <= 0) {
++ if (res == 0)
++ xsltTransformError(NULL, NULL, NULL,
++ "xsltLoadStyleDocument: read rights for %s denied\n",
++ URI);
+ return(NULL);
+ }
+ }
+diff --git a/libxslt/imports.c b/libxslt/imports.c
+index 874870cca90e..3783b2476d9e 100644
+--- a/libxslt/imports.c
++++ b/libxslt/imports.c
+@@ -130,10 +130,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) {
+ int secres;
+
+ secres = xsltCheckRead(sec, NULL, URI);
+- if (secres == 0) {
+- xsltTransformError(NULL, NULL, NULL,
+- "xsl:import: read rights for %s denied\n",
+- URI);
++ if (secres <= 0) {
++ if (secres == 0)
++ xsltTransformError(NULL, NULL, NULL,
++ "xsl:import: read rights for %s denied\n",
++ URI);
+ goto error;
+ }
+ }
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index 13793914f5d3..0636dbd0a242 100644
+--- a/libxslt/transform.c
++++ b/libxslt/transform.c
+@@ -3493,10 +3493,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node,
+ */
+ if (ctxt->sec != NULL) {
+ ret = xsltCheckWrite(ctxt->sec, ctxt, filename);
+- if (ret == 0) {
+- xsltTransformError(ctxt, NULL, inst,
+- "xsltDocumentElem: write rights for %s denied\n",
+- filename);
++ if (ret <= 0) {
++ if (ret == 0)
++ xsltTransformError(ctxt, NULL, inst,
++ "xsltDocumentElem: write rights for %s denied\n",
++ filename);
+ xmlFree(URL);
+ xmlFree(filename);
+ return;
+diff --git a/libxslt/xslt.c b/libxslt/xslt.c
+index 780a5ad75ea9..a234eb79bb53 100644
+--- a/libxslt/xslt.c
++++ b/libxslt/xslt.c
+@@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) {
+ int res;
+
+ res = xsltCheckRead(sec, NULL, filename);
+- if (res == 0) {
+- xsltTransformError(NULL, NULL, NULL,
+- "xsltParseStylesheetFile: read rights for %s denied\n",
+- filename);
++ if (res <= 0) {
++ if (res == 0)
++ xsltTransformError(NULL, NULL, NULL,
++ "xsltParseStylesheetFile: read rights for %s denied\n",
++ filename);
+ return(NULL);
+ }
+ }
+--
+2.20.1
+
diff -Nru libxslt-1.1.29/debian/patches/0010-Fix-uninitialized-read-of-xsl-number-token.patch libxslt-1.1.29/debian/patches/0010-Fix-uninitialized-read-of-xsl-number-token.patch
--- libxslt-1.1.29/debian/patches/0010-Fix-uninitialized-read-of-xsl-number-token.patch 1970-01-01 01:00:00.000000000 +0100
+++ libxslt-1.1.29/debian/patches/0010-Fix-uninitialized-read-of-xsl-number-token.patch 2019-08-24 14:04:13.000000000 +0200
@@ -0,0 +1,32 @@
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 27 Apr 2019 11:19:48 +0200
+Subject: Fix uninitialized read of xsl:number token
+Origin: https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-13117
+Bug-Debian: https://bugs.debian.org/931321
+Bug-Debian: https://bugs.debian.org/933743
+
+Found by OSS-Fuzz.
+---
+ libxslt/numbers.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index 89e1f668b2bd..75c31ebaeb88 100644
+--- a/libxslt/numbers.c
++++ b/libxslt/numbers.c
+@@ -382,7 +382,10 @@ xsltNumberFormatTokenize(const xmlChar *format,
+ tokens->tokens[tokens->nTokens].token = val - 1;
+ ix += len;
+ val = xmlStringCurrentChar(NULL, format+ix, &len);
+- }
++ } else {
++ tokens->tokens[tokens->nTokens].token = (xmlChar)'0';
++ tokens->tokens[tokens->nTokens].width = 1;
++ }
+ } else if ( (val == (xmlChar)'A') ||
+ (val == (xmlChar)'a') ||
+ (val == (xmlChar)'I') ||
+--
+2.20.1
+
diff -Nru libxslt-1.1.29/debian/patches/0011-Fix-uninitialized-read-with-UTF-8-grouping-chars.patch libxslt-1.1.29/debian/patches/0011-Fix-uninitialized-read-with-UTF-8-grouping-chars.patch
--- libxslt-1.1.29/debian/patches/0011-Fix-uninitialized-read-with-UTF-8-grouping-chars.patch 1970-01-01 01:00:00.000000000 +0100
+++ libxslt-1.1.29/debian/patches/0011-Fix-uninitialized-read-with-UTF-8-grouping-chars.patch 2019-08-24 14:04:13.000000000 +0200
@@ -0,0 +1,74 @@
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 3 Jun 2019 13:14:45 +0200
+Subject: Fix uninitialized read with UTF-8 grouping chars
+Origin: https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-13118
+Bug-Debian: https://bugs.debian.org/931320
+Bug-Debian: https://bugs.debian.org/933743
+
+The character type in xsltFormatNumberConversion was too narrow and
+an invalid character/length combination could be passed to
+xsltNumberFormatDecimal, resulting in an uninitialized read.
+
+Found by OSS-Fuzz.
+---
+ libxslt/numbers.c | 5 +++--
+ tests/docs/bug-222.xml | 1 +
+ tests/general/bug-222.out | 2 ++
+ tests/general/bug-222.xsl | 6 ++++++
+ 4 files changed, 12 insertions(+), 2 deletions(-)
+ create mode 100644 tests/docs/bug-222.xml
+ create mode 100644 tests/general/bug-222.out
+ create mode 100644 tests/general/bug-222.xsl
+
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index f1ed88468257..20b99d5adef0 100644
+--- a/libxslt/numbers.c
++++ b/libxslt/numbers.c
+@@ -1298,13 +1298,14 @@ OUTPUT_NUMBER:
+ number = floor((scale * number + 0.5)) / scale;
+ if ((self->grouping != NULL) &&
+ (self->grouping[0] != 0)) {
++ int gchar;
+
+ len = xmlStrlen(self->grouping);
+- pchar = xsltGetUTF8Char(self->grouping, &len);
++ gchar = xsltGetUTF8Char(self->grouping, &len);
+ xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
+ format_info.integer_digits,
+ format_info.group,
+- pchar, len);
++ gchar, len);
+ } else
+ xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
+ format_info.integer_digits,
+diff --git a/tests/docs/bug-222.xml b/tests/docs/bug-222.xml
+new file mode 100644
+index 000000000000..69d62f2c9aef
+--- /dev/null
++++ b/tests/docs/bug-222.xml
+@@ -0,0 +1 @@
++<doc/>
+diff --git a/tests/general/bug-222.out b/tests/general/bug-222.out
+new file mode 100644
+index 000000000000..e3139698eb49
+--- /dev/null
++++ b/tests/general/bug-222.out
+@@ -0,0 +1,2 @@
++<?xml version="1.0"?>
++1⠢0
+diff --git a/tests/general/bug-222.xsl b/tests/general/bug-222.xsl
+new file mode 100644
+index 000000000000..e32dc47337cb
+--- /dev/null
++++ b/tests/general/bug-222.xsl
+@@ -0,0 +1,6 @@
++<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"; version="1.0">
++ <xsl:decimal-format name="f" grouping-separator="⠢"/>
++ <xsl:template match="/">
++ <xsl:value-of select="format-number(10,'#⠢0','f')"/>
++ </xsl:template>
++</xsl:stylesheet>
+--
+2.20.1
+
diff -Nru libxslt-1.1.29/debian/patches/series libxslt-1.1.29/debian/patches/series
--- libxslt-1.1.29/debian/patches/series 2017-03-26 19:44:01.000000000 +0200
+++ libxslt-1.1.29/debian/patches/series 2019-08-24 14:04:13.000000000 +0200
@@ -6,3 +6,6 @@
0006-remove-plugin-in-xslt-config.patch
0007-Fix-heap-overread-in-xsltFormatNumberConversion.patch
0008-Check-for-integer-overflow-in-xsltAddTextString.patch
+0009-Fix-security-framework-bypass.patch
+0010-Fix-uninitialized-read-of-xsl-number-token.patch
+0011-Fix-uninitialized-read-with-UTF-8-grouping-chars.patch
Reply to: