Package: release.debian.org Severity: normal Tags: jessie User: [email protected] Usertags: pu
Hi Given the next jessie point release is approaching I would like to propose a fix for CVE-2017-5029, #858546 via the upcoming point release. Attached is the full debdiff. The debian/changelog reads as +libxslt (1.1.28-2+deb8u3) jessie; urgency=medium + + * Non-maintainer upload. + * Check for integer overflow in xsltAddTextString (CVE-2017-5029) + (Closes: #858546) + + -- Salvatore Bonaccorso <[email protected]> Fri, 14 Apr 2017 08:28:09 +0200 Regards, Salvatore
diff -Nru libxslt-1.1.28/debian/changelog libxslt-1.1.28/debian/changelog --- libxslt-1.1.28/debian/changelog 2016-11-06 21:43:39.000000000 +0100 +++ libxslt-1.1.28/debian/changelog 2017-04-14 08:28:09.000000000 +0200 @@ -1,3 +1,11 @@ +libxslt (1.1.28-2+deb8u3) jessie; urgency=medium + + * Non-maintainer upload. + * Check for integer overflow in xsltAddTextString (CVE-2017-5029) + (Closes: #858546) + + -- Salvatore Bonaccorso <[email protected]> Fri, 14 Apr 2017 08:28:09 +0200 + libxslt (1.1.28-2+deb8u2) jessie-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru libxslt-1.1.28/debian/patches/0021-Check-for-integer-overflow-in-xsltAddTextString.patch libxslt-1.1.28/debian/patches/0021-Check-for-integer-overflow-in-xsltAddTextString.patch --- libxslt-1.1.28/debian/patches/0021-Check-for-integer-overflow-in-xsltAddTextString.patch 1970-01-01 01:00:00.000000000 +0100 +++ libxslt-1.1.28/debian/patches/0021-Check-for-integer-overflow-in-xsltAddTextString.patch 2017-04-14 08:28:09.000000000 +0200 @@ -0,0 +1,74 @@ +From 08ab2774b870de1c7b5a48693df75e8154addae5 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <[email protected]> +Date: Thu, 12 Jan 2017 15:39:52 +0100 +Subject: [PATCH] Check for integer overflow in xsltAddTextString + +Limit buffer size in xsltAddTextString to INT_MAX. The issue can be +exploited to trigger an out of bounds write on 64-bit systems. + +Originally reported to Chromium: + +https://crbug.com/676623 +--- + libxslt/transform.c | 25 ++++++++++++++++++++++--- + libxslt/xsltInternals.h | 4 ++-- + 2 files changed, 24 insertions(+), 5 deletions(-) + +diff --git a/libxslt/transform.c b/libxslt/transform.c +index 519133fc..02bff34a 100644 +--- a/libxslt/transform.c ++++ b/libxslt/transform.c +@@ -813,13 +813,32 @@ xsltAddTextString(xsltTransformContextPtr ctxt, xmlNodePtr target, + return(target); + + if (ctxt->lasttext == target->content) { ++ int minSize; + +- if (ctxt->lasttuse + len >= ctxt->lasttsize) { ++ /* Check for integer overflow accounting for NUL terminator. */ ++ if (len >= INT_MAX - ctxt->lasttuse) { ++ xsltTransformError(ctxt, NULL, target, ++ "xsltCopyText: text allocation failed\n"); ++ return(NULL); ++ } ++ minSize = ctxt->lasttuse + len + 1; ++ ++ if (ctxt->lasttsize < minSize) { + xmlChar *newbuf; + int size; ++ int extra; ++ ++ /* Double buffer size but increase by at least 100 bytes. */ ++ extra = minSize < 100 ? 100 : minSize; ++ ++ /* Check for integer overflow. */ ++ if (extra > INT_MAX - ctxt->lasttsize) { ++ size = INT_MAX; ++ } ++ else { ++ size = ctxt->lasttsize + extra; ++ } + +- size = ctxt->lasttsize + len + 100; +- size *= 2; + newbuf = (xmlChar *) xmlRealloc(target->content,size); + if (newbuf == NULL) { + xsltTransformError(ctxt, NULL, target, +diff --git a/libxslt/xsltInternals.h b/libxslt/xsltInternals.h +index 060b1783..5ad17719 100644 +--- a/libxslt/xsltInternals.h ++++ b/libxslt/xsltInternals.h +@@ -1754,8 +1754,8 @@ struct _xsltTransformContext { + * Speed optimization when coalescing text nodes + */ + const xmlChar *lasttext; /* last text node content */ +- unsigned int lasttsize; /* last text node size */ +- unsigned int lasttuse; /* last text node use */ ++ int lasttsize; /* last text node size */ ++ int lasttuse; /* last text node use */ + /* + * Per Context Debugging + */ +-- +2.11.0 + diff -Nru libxslt-1.1.28/debian/patches/series libxslt-1.1.28/debian/patches/series --- libxslt-1.1.28/debian/patches/series 2016-11-06 21:43:39.000000000 +0100 +++ libxslt-1.1.28/debian/patches/series 2017-04-14 08:28:09.000000000 +0200 @@ -18,3 +18,4 @@ 0018-Fix-buffer-overflow-in-exsltDateFormat.patch 0019-Fix-OOB-heap-read-in-xsltExtModuleRegisterDynamic.patch 0020-Fix-heap-overread-in-xsltFormatNumberConversion.patch +0021-Check-for-integer-overflow-in-xsltAddTextString.patch
