Bug#944064: marked as done (buster-pu: package libxslt/1.1.32-2.2~deb10u1)

[Debian Bug Tracking System]

Your message dated Sat, 16 Nov 2019 10:08:47 +0000
with message-id 
<83c9ffab6f08361485f70dda4733a7a24aeec09b.ca...@adam-barratt.org.uk>
and subject line Closing bugs for 10.2 point release fixes
has caused the Debian Bug report #944064,
regarding buster-pu: package libxslt/1.1.32-2.2~deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
944064: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944064
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu

Hi SRM'ers

libxslt is affected by CVE-2019-18197 and the issue was fixed in
unstable via the NMU 1.1.32-2.2 cherry picking the upstream commit. As
per previous upload here the simplest seem to be to do a rebuild of
1.1.32-2.2 for buster, versioned as 1.1.32-2.2~deb10u1.

Attached the full resulting debdiff against the current
1.1.32-2.1~deb10u1 in buster.

Regards,
Salvatore

diff -Nru libxslt-1.1.32/debian/changelog libxslt-1.1.32/debian/changelog
--- libxslt-1.1.32/debian/changelog     2019-08-09 21:49:31.000000000 +0200
+++ libxslt-1.1.32/debian/changelog     2019-11-03 17:11:47.000000000 +0100
@@ -1,8 +1,15 @@
-libxslt (1.1.32-2.1~deb10u1) buster; urgency=medium
+libxslt (1.1.32-2.2~deb10u1) buster; urgency=medium
 
   * Rebuild for buster 
 
- -- Salvatore Bonaccorso <car...@debian.org>  Fri, 09 Aug 2019 21:49:31 +0200
+ -- Salvatore Bonaccorso <car...@debian.org>  Sun, 03 Nov 2019 17:11:47 +0100
+
+libxslt (1.1.32-2.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix dangling pointer in xsltCopyText (CVE-2019-18197) (Closes: #942646)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Sat, 19 Oct 2019 21:21:23 +0200
 
 libxslt (1.1.32-2.1) unstable; urgency=medium
 
diff -Nru 
libxslt-1.1.32/debian/patches/0009-Fix-dangling-pointer-in-xsltCopyText.patch 
libxslt-1.1.32/debian/patches/0009-Fix-dangling-pointer-in-xsltCopyText.patch
--- 
libxslt-1.1.32/debian/patches/0009-Fix-dangling-pointer-in-xsltCopyText.patch   
    1970-01-01 01:00:00.000000000 +0100
+++ 
libxslt-1.1.32/debian/patches/0009-Fix-dangling-pointer-in-xsltCopyText.patch   
    2019-10-19 21:21:23.000000000 +0200
@@ -0,0 +1,35 @@
+From: Nick Wellnhofer <wellnho...@aevum.de>
+Date: Sat, 17 Aug 2019 16:51:53 +0200
+Subject: Fix dangling pointer in xsltCopyText
+Origin: 
https://gitlab.gnome.org/GNOME/libxslt/commit/2232473733b7313d67de8836ea3b29eec6e8e285
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-18197
+Bug-Debian: https://bugs.debian.org/942646
+Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15746
+Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15768
+Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15914
+
+xsltCopyText didn't reset ctxt->lasttext in some cases which could
+lead to various memory errors in relation with CDATA sections in input
+documents.
+
+Found by OSS-Fuzz.
+---
+ libxslt/transform.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index 95ebd0732f95..d7ab0b6677cc 100644
+--- a/libxslt/transform.c
++++ b/libxslt/transform.c
+@@ -1094,6 +1094,8 @@ xsltCopyText(xsltTransformContextPtr ctxt, xmlNodePtr 
target,
+           if ((copy->content = xmlStrdup(cur->content)) == NULL)
+               return NULL;
+       }
++
++      ctxt->lasttext = NULL;
+     } else {
+         /*
+        * normal processing. keep counters to extend the text node
+-- 
+2.20.1
+
diff -Nru libxslt-1.1.32/debian/patches/series 
libxslt-1.1.32/debian/patches/series
--- libxslt-1.1.32/debian/patches/series        2019-08-04 08:14:05.000000000 
+0200
+++ libxslt-1.1.32/debian/patches/series        2019-10-19 21:21:23.000000000 
+0200
@@ -6,3 +6,4 @@
 0006-Fix-security-framework-bypass.patch
 0007-Fix-uninitialized-read-of-xsl-number-token.patch
 0008-Fix-uninitialized-read-with-UTF-8-grouping-chars.patch
+0009-Fix-dangling-pointer-in-xsltCopyText.patch

--- End Message ---

--- Begin Message ---

Package: release.debian.org
Version: 10.2

Hi,

The fixes referenced by these bugs were included in today's 10.2 stable
point release.

Regards,

Adam

--- End Message ---