Hello community, here is the log from the commit of package libxslt for openSUSE:Factory checked in at 2019-04-17 10:04:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libxslt (Old) and /work/SRC/openSUSE:Factory/.libxslt.new.17052 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libxslt" Wed Apr 17 10:04:44 2019 rev:57 rq:693134 version:1.1.33 Changes: -------- --- /work/SRC/openSUSE:Factory/libxslt/libxslt-python.changes 2019-03-08 13:28:04.322997238 +0100 +++ /work/SRC/openSUSE:Factory/.libxslt.new.17052/libxslt-python.changes 2019-04-17 10:04:47.366530885 +0200 @@ -1,0 +2,10 @@ +Thu Apr 11 06:06:01 UTC 2019 - Pedro Monreal Gonzalez <[email protected]> + +- Security fix: [bsc#1132160, CVE-2019-11068] + * Bypass of a protection mechanism because callers of xsltCheckRead + and xsltCheckWrite permit access even upon receiving a -1 error + code. xsltCheckRead can return -1 for a crafted URL that is not + actually invalid and is subsequently loaded. + * Added libxslt-CVE-2019-11068.patch + +------------------------------------------------------------------- libxslt.changes: same change New: ---- libxslt-CVE-2019-11068.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libxslt-python.spec ++++++ --- /var/tmp/diff_new_pack.KlgHoT/_old 2019-04-17 10:04:50.038534103 +0200 +++ /var/tmp/diff_new_pack.KlgHoT/_new 2019-04-17 10:04:50.042534108 +0200 @@ -32,6 +32,8 @@ # it anyway; neither build the xsltproc subdir (not packaged here, faster) Patch1: libxslt-do_not_build_doc_nor_xsltproc.patch Patch2: libxslt-random-seed.patch +# PATCH-FIX-UPSTREAM bsc#1132160 CVE-2019-11068 Fix security framework bypass +Patch4: libxslt-CVE-2019-11068.patch BuildRequires: libgcrypt-devel BuildRequires: libgpg-error-devel BuildRequires: libtool @@ -58,6 +60,7 @@ %patch0 %patch1 %patch2 -p1 +%patch4 -p1 %build autoreconf -fvi ++++++ libxslt.spec ++++++ --- /var/tmp/diff_new_pack.KlgHoT/_old 2019-04-17 10:04:50.058534128 +0200 +++ /var/tmp/diff_new_pack.KlgHoT/_new 2019-04-17 10:04:50.062534132 +0200 @@ -34,6 +34,8 @@ Patch1: libxslt-config-fixes.patch Patch2: 0009-Make-generate-id-deterministic.patch Patch3: libxslt-random-seed.patch +# PATCH-FIX-UPSTREAM bsc#1132160 CVE-2019-11068 Fix security framework bypass +Patch4: libxslt-CVE-2019-11068.patch BuildRequires: libgcrypt-devel BuildRequires: libgpg-error-devel BuildRequires: libtool @@ -102,6 +104,7 @@ %patch1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 %build autoreconf -fvi ++++++ libxslt-CVE-2019-11068.patch ++++++ >From e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer <[email protected]> Date: Sun, 24 Mar 2019 09:51:39 +0100 Subject: [PATCH] Fix security framework bypass xsltCheckRead and xsltCheckWrite return -1 in case of error but callers don't check for this condition and allow access. With a specially crafted URL, xsltCheckRead could be tricked into returning an error because of a supposedly invalid URL that would still be loaded succesfully later on. Fixes #12. Thanks to Felix Wilhelm for the report. --- libxslt/documents.c | 18 ++++++++++-------- libxslt/imports.c | 9 +++++---- libxslt/transform.c | 9 +++++---- libxslt/xslt.c | 9 +++++---- 4 files changed, 25 insertions(+), 20 deletions(-) diff --git a/libxslt/documents.c b/libxslt/documents.c index 3f3a7312..4aad11bb 100644 --- a/libxslt/documents.c +++ b/libxslt/documents.c @@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) { int res; res = xsltCheckRead(ctxt->sec, ctxt, URI); - if (res == 0) { - xsltTransformError(ctxt, NULL, NULL, - "xsltLoadDocument: read rights for %s denied\n", - URI); + if (res <= 0) { + if (res == 0) + xsltTransformError(ctxt, NULL, NULL, + "xsltLoadDocument: read rights for %s denied\n", + URI); return(NULL); } } @@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) { int res; res = xsltCheckRead(sec, NULL, URI); - if (res == 0) { - xsltTransformError(NULL, NULL, NULL, - "xsltLoadStyleDocument: read rights for %s denied\n", - URI); + if (res <= 0) { + if (res == 0) + xsltTransformError(NULL, NULL, NULL, + "xsltLoadStyleDocument: read rights for %s denied\n", + URI); return(NULL); } } diff --git a/libxslt/imports.c b/libxslt/imports.c index 874870cc..3783b247 100644 --- a/libxslt/imports.c +++ b/libxslt/imports.c @@ -130,10 +130,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) { int secres; secres = xsltCheckRead(sec, NULL, URI); - if (secres == 0) { - xsltTransformError(NULL, NULL, NULL, - "xsl:import: read rights for %s denied\n", - URI); + if (secres <= 0) { + if (secres == 0) + xsltTransformError(NULL, NULL, NULL, + "xsl:import: read rights for %s denied\n", + URI); goto error; } } diff --git a/libxslt/transform.c b/libxslt/transform.c index 13793914..0636dbd0 100644 --- a/libxslt/transform.c +++ b/libxslt/transform.c @@ -3493,10 +3493,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node, */ if (ctxt->sec != NULL) { ret = xsltCheckWrite(ctxt->sec, ctxt, filename); - if (ret == 0) { - xsltTransformError(ctxt, NULL, inst, - "xsltDocumentElem: write rights for %s denied\n", - filename); + if (ret <= 0) { + if (ret == 0) + xsltTransformError(ctxt, NULL, inst, + "xsltDocumentElem: write rights for %s denied\n", + filename); xmlFree(URL); xmlFree(filename); return; diff --git a/libxslt/xslt.c b/libxslt/xslt.c index 780a5ad7..a234eb79 100644 --- a/libxslt/xslt.c +++ b/libxslt/xslt.c @@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) { int res; res = xsltCheckRead(sec, NULL, filename); - if (res == 0) { - xsltTransformError(NULL, NULL, NULL, - "xsltParseStylesheetFile: read rights for %s denied\n", - filename); + if (res <= 0) { + if (res == 0) + xsltTransformError(NULL, NULL, NULL, + "xsltParseStylesheetFile: read rights for %s denied\n", + filename); return(NULL); } } -- 2.18.1
