Your message dated Sat, 06 May 2017 14:44:18 +0100
with message-id <[email protected]>
and subject line Closing bugs for updates included in 8.8
has caused the Debian Bug report #860289,
regarding jessie-pu: package libxslt/1.1.28-2+deb8u3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
860289: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860289
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: [email protected]
Usertags: pu
Hi
Given the next jessie point release is approaching I would like to
propose a fix for CVE-2017-5029, #858546 via the upcoming point
release.
Attached is the full debdiff.
The debian/changelog reads as
+libxslt (1.1.28-2+deb8u3) jessie; urgency=medium
+
+ * Non-maintainer upload.
+ * Check for integer overflow in xsltAddTextString (CVE-2017-5029)
+ (Closes: #858546)
+
+ -- Salvatore Bonaccorso <[email protected]> Fri, 14 Apr 2017 08:28:09 +0200
Regards,
Salvatore
diff -Nru libxslt-1.1.28/debian/changelog libxslt-1.1.28/debian/changelog
--- libxslt-1.1.28/debian/changelog 2016-11-06 21:43:39.000000000 +0100
+++ libxslt-1.1.28/debian/changelog 2017-04-14 08:28:09.000000000 +0200
@@ -1,3 +1,11 @@
+libxslt (1.1.28-2+deb8u3) jessie; urgency=medium
+
+ * Non-maintainer upload.
+ * Check for integer overflow in xsltAddTextString (CVE-2017-5029)
+ (Closes: #858546)
+
+ -- Salvatore Bonaccorso <[email protected]> Fri, 14 Apr 2017 08:28:09 +0200
+
libxslt (1.1.28-2+deb8u2) jessie-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru
libxslt-1.1.28/debian/patches/0021-Check-for-integer-overflow-in-xsltAddTextString.patch
libxslt-1.1.28/debian/patches/0021-Check-for-integer-overflow-in-xsltAddTextString.patch
---
libxslt-1.1.28/debian/patches/0021-Check-for-integer-overflow-in-xsltAddTextString.patch
1970-01-01 01:00:00.000000000 +0100
+++
libxslt-1.1.28/debian/patches/0021-Check-for-integer-overflow-in-xsltAddTextString.patch
2017-04-14 08:28:09.000000000 +0200
@@ -0,0 +1,74 @@
+From 08ab2774b870de1c7b5a48693df75e8154addae5 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <[email protected]>
+Date: Thu, 12 Jan 2017 15:39:52 +0100
+Subject: [PATCH] Check for integer overflow in xsltAddTextString
+
+Limit buffer size in xsltAddTextString to INT_MAX. The issue can be
+exploited to trigger an out of bounds write on 64-bit systems.
+
+Originally reported to Chromium:
+
+https://crbug.com/676623
+---
+ libxslt/transform.c | 25 ++++++++++++++++++++++---
+ libxslt/xsltInternals.h | 4 ++--
+ 2 files changed, 24 insertions(+), 5 deletions(-)
+
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index 519133fc..02bff34a 100644
+--- a/libxslt/transform.c
++++ b/libxslt/transform.c
+@@ -813,13 +813,32 @@ xsltAddTextString(xsltTransformContextPtr ctxt,
xmlNodePtr target,
+ return(target);
+
+ if (ctxt->lasttext == target->content) {
++ int minSize;
+
+- if (ctxt->lasttuse + len >= ctxt->lasttsize) {
++ /* Check for integer overflow accounting for NUL terminator. */
++ if (len >= INT_MAX - ctxt->lasttuse) {
++ xsltTransformError(ctxt, NULL, target,
++ "xsltCopyText: text allocation failed\n");
++ return(NULL);
++ }
++ minSize = ctxt->lasttuse + len + 1;
++
++ if (ctxt->lasttsize < minSize) {
+ xmlChar *newbuf;
+ int size;
++ int extra;
++
++ /* Double buffer size but increase by at least 100 bytes. */
++ extra = minSize < 100 ? 100 : minSize;
++
++ /* Check for integer overflow. */
++ if (extra > INT_MAX - ctxt->lasttsize) {
++ size = INT_MAX;
++ }
++ else {
++ size = ctxt->lasttsize + extra;
++ }
+
+- size = ctxt->lasttsize + len + 100;
+- size *= 2;
+ newbuf = (xmlChar *) xmlRealloc(target->content,size);
+ if (newbuf == NULL) {
+ xsltTransformError(ctxt, NULL, target,
+diff --git a/libxslt/xsltInternals.h b/libxslt/xsltInternals.h
+index 060b1783..5ad17719 100644
+--- a/libxslt/xsltInternals.h
++++ b/libxslt/xsltInternals.h
+@@ -1754,8 +1754,8 @@ struct _xsltTransformContext {
+ * Speed optimization when coalescing text nodes
+ */
+ const xmlChar *lasttext; /* last text node content */
+- unsigned int lasttsize; /* last text node size */
+- unsigned int lasttuse; /* last text node use */
++ int lasttsize; /* last text node size */
++ int lasttuse; /* last text node use */
+ /*
+ * Per Context Debugging
+ */
+--
+2.11.0
+
diff -Nru libxslt-1.1.28/debian/patches/series
libxslt-1.1.28/debian/patches/series
--- libxslt-1.1.28/debian/patches/series 2016-11-06 21:43:39.000000000
+0100
+++ libxslt-1.1.28/debian/patches/series 2017-04-14 08:28:09.000000000
+0200
@@ -18,3 +18,4 @@
0018-Fix-buffer-overflow-in-exsltDateFormat.patch
0019-Fix-OOB-heap-read-in-xsltExtModuleRegisterDynamic.patch
0020-Fix-heap-overread-in-xsltFormatNumberConversion.patch
+0021-Check-for-integer-overflow-in-xsltAddTextString.patch
--- End Message ---
--- Begin Message ---
Version: 8.8
Hi,
Each of these bugs refers to an update that was included in today's
jessie point release. Thanks!
Regards,
Adam
--- End Message ---
