Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Hi SRM'ers libxslt is affected by CVE-2019-18197 and the issue was fixed in unstable via the NMU 1.1.32-2.2 cherry picking the upstream commit. As per previous upload here the simplest seem to be to do a rebuild of 1.1.32-2.2 for buster, versioned as 1.1.32-2.2~deb10u1. Attached the full resulting debdiff against the current 1.1.32-2.1~deb10u1 in buster. Regards, Salvatore
diff -Nru libxslt-1.1.32/debian/changelog libxslt-1.1.32/debian/changelog --- libxslt-1.1.32/debian/changelog 2019-08-09 21:49:31.000000000 +0200 +++ libxslt-1.1.32/debian/changelog 2019-11-03 17:11:47.000000000 +0100 @@ -1,8 +1,15 @@ -libxslt (1.1.32-2.1~deb10u1) buster; urgency=medium +libxslt (1.1.32-2.2~deb10u1) buster; urgency=medium * Rebuild for buster - -- Salvatore Bonaccorso <car...@debian.org> Fri, 09 Aug 2019 21:49:31 +0200 + -- Salvatore Bonaccorso <car...@debian.org> Sun, 03 Nov 2019 17:11:47 +0100 + +libxslt (1.1.32-2.2) unstable; urgency=medium + + * Non-maintainer upload. + * Fix dangling pointer in xsltCopyText (CVE-2019-18197) (Closes: #942646) + + -- Salvatore Bonaccorso <car...@debian.org> Sat, 19 Oct 2019 21:21:23 +0200 libxslt (1.1.32-2.1) unstable; urgency=medium diff -Nru libxslt-1.1.32/debian/patches/0009-Fix-dangling-pointer-in-xsltCopyText.patch libxslt-1.1.32/debian/patches/0009-Fix-dangling-pointer-in-xsltCopyText.patch --- libxslt-1.1.32/debian/patches/0009-Fix-dangling-pointer-in-xsltCopyText.patch 1970-01-01 01:00:00.000000000 +0100 +++ libxslt-1.1.32/debian/patches/0009-Fix-dangling-pointer-in-xsltCopyText.patch 2019-10-19 21:21:23.000000000 +0200 @@ -0,0 +1,35 @@ +From: Nick Wellnhofer <wellnho...@aevum.de> +Date: Sat, 17 Aug 2019 16:51:53 +0200 +Subject: Fix dangling pointer in xsltCopyText +Origin: https://gitlab.gnome.org/GNOME/libxslt/commit/2232473733b7313d67de8836ea3b29eec6e8e285 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-18197 +Bug-Debian: https://bugs.debian.org/942646 +Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15746 +Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15768 +Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15914 + +xsltCopyText didn't reset ctxt->lasttext in some cases which could +lead to various memory errors in relation with CDATA sections in input +documents. + +Found by OSS-Fuzz. +--- + libxslt/transform.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/libxslt/transform.c b/libxslt/transform.c +index 95ebd0732f95..d7ab0b6677cc 100644 +--- a/libxslt/transform.c ++++ b/libxslt/transform.c +@@ -1094,6 +1094,8 @@ xsltCopyText(xsltTransformContextPtr ctxt, xmlNodePtr target, + if ((copy->content = xmlStrdup(cur->content)) == NULL) + return NULL; + } ++ ++ ctxt->lasttext = NULL; + } else { + /* + * normal processing. keep counters to extend the text node +-- +2.20.1 + diff -Nru libxslt-1.1.32/debian/patches/series libxslt-1.1.32/debian/patches/series --- libxslt-1.1.32/debian/patches/series 2019-08-04 08:14:05.000000000 +0200 +++ libxslt-1.1.32/debian/patches/series 2019-10-19 21:21:23.000000000 +0200 @@ -6,3 +6,4 @@ 0006-Fix-security-framework-bypass.patch 0007-Fix-uninitialized-read-of-xsl-number-token.patch 0008-Fix-uninitialized-read-with-UTF-8-grouping-chars.patch +0009-Fix-dangling-pointer-in-xsltCopyText.patch