Hello community,
here is the log from the commit of package libxslt for openSUSE:Factory checked
in at 2017-03-16 09:34:26
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libxslt (Old)
and /work/SRC/openSUSE:Factory/.libxslt.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libxslt"
Thu Mar 16 09:34:26 2017 rev:49 rq:479026 version:1.1.29
Changes:
--------
--- /work/SRC/openSUSE:Factory/libxslt/libxslt.changes 2016-06-20
10:55:12.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.libxslt.new/libxslt.changes 2017-03-16
09:34:27.266908559 +0100
@@ -1,0 +2,10 @@
+Mon Mar 13 12:43:04 UTC 2017 - pmonrealgonza...@suse.com
+
+- Added patch libxslt-CVE-2016-4738.patch
+ * Fix heap overread in xsltFormatNumberConversion: An empty
+ decimal-separator could cause a heap overread. This can be
+ exploited to leak a couple of bytes after the buffer that holds
+ the pattern string.
+ * bsc#1005591 CVE-2016-4738
+
+-------------------------------------------------------------------
New:
----
libxslt-CVE-2016-4738.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libxslt-python.spec ++++++
--- /var/tmp/diff_new_pack.JROMt7/_old 2017-03-16 09:34:27.982807192 +0100
+++ /var/tmp/diff_new_pack.JROMt7/_new 2017-03-16 09:34:27.982807192 +0100
@@ -1,7 +1,7 @@
#
# spec file for package libxslt-python
#
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
++++++ libxslt.spec ++++++
--- /var/tmp/diff_new_pack.JROMt7/_old 2017-03-16 09:34:28.002804360 +0100
+++ /var/tmp/diff_new_pack.JROMt7/_new 2017-03-16 09:34:28.002804360 +0100
@@ -1,7 +1,7 @@
#
# spec file for package libxslt
#
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -31,6 +31,7 @@
Patch0: %{name}-1.1.24-no-net-autobuild.patch
Patch1: libxslt-config-fixes.patch
Patch2: 0009-Make-generate-id-deterministic.patch
+Patch3: libxslt-CVE-2016-4738.patch
BuildRequires: libgcrypt-devel
BuildRequires: libgpg-error-devel
BuildRequires: libtool
@@ -99,6 +100,7 @@
%patch0
%patch1
%patch2 -p1
+%patch3 -p1
%build
autoreconf -fvi
++++++ libxslt-CVE-2016-4738.patch ++++++
>From eb1030de31165b68487f288308f9d1810fed6880 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnho...@aevum.de>
Date: Fri, 10 Jun 2016 14:23:58 +0200
Subject: Fix heap overread in xsltFormatNumberConversion
An empty decimal-separator could cause a heap overread. This can be
exploited to leak a couple of bytes after the buffer that holds the
pattern string.
Found with afl-fuzz and ASan.
---
libxslt/numbers.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libxslt/numbers.c b/libxslt/numbers.c
index d1549b4..e78c46b 100644
--- a/libxslt/numbers.c
+++ b/libxslt/numbers.c
@@ -1090,7 +1090,8 @@ xsltFormatNumberConversion(xsltDecimalFormatPtr self,
}
/* We have finished the integer part, now work on fraction */
- if (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) {
+ if ( (*the_format != 0) &&
+ (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) ) {
format_info.add_decimal = TRUE;
the_format += xsltUTF8Size(the_format); /* Skip over the decimal */
}
--
cgit v0.12
