Hello community, here is the log from the commit of package libxslt for openSUSE:Leap:15.2 checked in at 2020-05-29 18:49:04 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/libxslt (Old) and /work/SRC/openSUSE:Leap:15.2/.libxslt.new.3606 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libxslt" Fri May 29 18:49:04 2020 rev:28 rq:808984 version:1.1.32 Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/libxslt/libxslt-python.changes 2020-01-15 15:25:49.862590286 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.libxslt.new.3606/libxslt-python.changes 2020-05-29 18:49:06.436190641 +0200 @@ -1,0 +2,25 @@ +Mon Oct 21 13:55:37 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonza...@suse.com> + +- Security fix [bsc#1154609, CVE-2019-18197] + * Fix dangling pointer in xsltCopyText + * Add libxslt-CVE-2019-18197.patch + +------------------------------------------------------------------- +Tue Jul 2 15:02:27 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonza...@suse.com> + +- Security fix: [bsc#1140101, CVE-2019-13118] + * Fix uninitialized read with UTF-8 grouping chars. Read of + uninitialized stack data due to too narrow xsl:number + instruction and an invalid character + * Added libxslt-CVE-2019-13118.patch + +------------------------------------------------------------------- +Tue Jul 2 15:00:56 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonza...@suse.com> + +- Security fix: [bsc#1140095, CVE-2019-13117] + * Fix uninitialized read of xsl:number token. An xsl number with + certain format strings could lead to a uninitialized read in + xsltNumberFormatInsertNumbers + * Added libxslt-CVE-2019-13117.patch + +------------------------------------------------------------------- libxslt.changes: same change New: ---- libxslt-CVE-2019-13117.patch libxslt-CVE-2019-13118.patch libxslt-CVE-2019-18197.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libxslt-python.spec ++++++ --- /var/tmp/diff_new_pack.KU0TN8/_old 2020-05-29 18:49:06.920192030 +0200 +++ /var/tmp/diff_new_pack.KU0TN8/_new 2020-05-29 18:49:06.924192041 +0200 @@ -1,7 +1,7 @@ # # spec file for package libxslt-python # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -34,6 +34,12 @@ Patch2: libxslt-random-seed.patch # PATCH-FIX-UPSTREAM bsc#1132160 CVE-2019-11068 Fix security framework bypass Patch4: libxslt-CVE-2019-11068.patch +# PATCH-FIX-UPSTREAM bsc#1140095 CVE-2019-13117 Fix uninitialized read of xsl:number token +Patch5: libxslt-CVE-2019-13117.patch +# PATCH-FIX-UPSTREAM bsc#1140101 CVE-2019-13118 Fix uninitialized read with UTF-8 grouping chars +Patch6: libxslt-CVE-2019-13118.patch +# PATCH-FIX-UPSTREAM bsc#1154609 CVE-2019-18197 Fix dangling pointer in xsltCopyText +Patch7: libxslt-CVE-2019-18197.patch BuildRequires: libgcrypt-devel BuildRequires: libgpg-error-devel BuildRequires: libtool @@ -61,6 +67,9 @@ %patch1 %patch2 -p1 %patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 %build autoreconf -fvi ++++++ libxslt.spec ++++++ --- /var/tmp/diff_new_pack.KU0TN8/_old 2020-05-29 18:49:06.944192098 +0200 +++ /var/tmp/diff_new_pack.KU0TN8/_new 2020-05-29 18:49:06.948192110 +0200 @@ -1,7 +1,7 @@ # # spec file for package libxslt # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -36,6 +36,12 @@ Patch3: libxslt-random-seed.patch # PATCH-FIX-UPSTREAM bsc#1132160 CVE-2019-11068 Fix security framework bypass Patch4: libxslt-CVE-2019-11068.patch +# PATCH-FIX-UPSTREAM bsc#1140095 CVE-2019-13117 Fix uninitialized read of xsl:number token +Patch5: libxslt-CVE-2019-13117.patch +# PATCH-FIX-UPSTREAM bsc#1140101 CVE-2019-13118 Fix uninitialized read with UTF-8 grouping chars +Patch6: libxslt-CVE-2019-13118.patch +# PATCH-FIX-UPSTREAM bsc#1154609 CVE-2019-18197 Fix dangling pointer in xsltCopyText +Patch7: libxslt-CVE-2019-18197.patch BuildRequires: libgcrypt-devel BuildRequires: libgpg-error-devel BuildRequires: libtool @@ -105,6 +111,9 @@ %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 %build autoreconf -fvi ++++++ libxslt-CVE-2019-13117.patch ++++++ >From c5eb6cf3aba0af048596106ed839b4ae17ecbcb1 Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer <wellnho...@aevum.de> Date: Sat, 27 Apr 2019 11:19:48 +0200 Subject: [PATCH] Fix uninitialized read of xsl:number token Found by OSS-Fuzz. --- libxslt/numbers.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libxslt/numbers.c b/libxslt/numbers.c index 89e1f668..75c31eba 100644 --- a/libxslt/numbers.c +++ b/libxslt/numbers.c @@ -382,7 +382,10 @@ xsltNumberFormatTokenize(const xmlChar *format, tokens->tokens[tokens->nTokens].token = val - 1; ix += len; val = xmlStringCurrentChar(NULL, format+ix, &len); - } + } else { + tokens->tokens[tokens->nTokens].token = (xmlChar)'0'; + tokens->tokens[tokens->nTokens].width = 1; + } } else if ( (val == (xmlChar)'A') || (val == (xmlChar)'a') || (val == (xmlChar)'I') || -- 2.21.0 ++++++ libxslt-CVE-2019-13118.patch ++++++ >From 6ce8de69330783977dd14f6569419489875fb71b Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer <wellnho...@aevum.de> Date: Mon, 3 Jun 2019 13:14:45 +0200 Subject: [PATCH] Fix uninitialized read with UTF-8 grouping chars The character type in xsltFormatNumberConversion was too narrow and an invalid character/length combination could be passed to xsltNumberFormatDecimal, resulting in an uninitialized read. Found by OSS-Fuzz. --- libxslt/numbers.c | 5 +++-- tests/docs/bug-222.xml | 1 + tests/general/bug-222.out | 2 ++ tests/general/bug-222.xsl | 6 ++++++ 4 files changed, 12 insertions(+), 2 deletions(-) create mode 100644 tests/docs/bug-222.xml create mode 100644 tests/general/bug-222.out create mode 100644 tests/general/bug-222.xsl diff --git a/libxslt/numbers.c b/libxslt/numbers.c index f1ed8846..20b99d5a 100644 --- a/libxslt/numbers.c +++ b/libxslt/numbers.c @@ -1298,13 +1298,14 @@ OUTPUT_NUMBER: number = floor((scale * number + 0.5)) / scale; if ((self->grouping != NULL) && (self->grouping[0] != 0)) { + int gchar; len = xmlStrlen(self->grouping); - pchar = xsltGetUTF8Char(self->grouping, &len); + gchar = xsltGetUTF8Char(self->grouping, &len); xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0], format_info.integer_digits, format_info.group, - pchar, len); + gchar, len); } else xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0], format_info.integer_digits, diff --git a/tests/docs/bug-222.xml b/tests/docs/bug-222.xml new file mode 100644 index 00000000..69d62f2c --- /dev/null +++ b/tests/docs/bug-222.xml @@ -0,0 +1 @@ +<doc/> diff --git a/tests/general/bug-222.out b/tests/general/bug-222.out new file mode 100644 index 00000000..e3139698 --- /dev/null +++ b/tests/general/bug-222.out @@ -0,0 +1,2 @@ +<?xml version="1.0"?> +1⠢0 diff --git a/tests/general/bug-222.xsl b/tests/general/bug-222.xsl new file mode 100644 index 00000000..e32dc473 --- /dev/null +++ b/tests/general/bug-222.xsl @@ -0,0 +1,6 @@ +<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"; version="1.0"> + <xsl:decimal-format name="f" grouping-separator="⠢"/> + <xsl:template match="/"> + <xsl:value-of select="format-number(10,'#⠢0','f')"/> + </xsl:template> +</xsl:stylesheet> -- 2.21.0 ++++++ libxslt-CVE-2019-18197.patch ++++++ >From 2232473733b7313d67de8836ea3b29eec6e8e285 Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer <wellnho...@aevum.de> Date: Sat, 17 Aug 2019 16:51:53 +0200 Subject: [PATCH] Fix dangling pointer in xsltCopyText xsltCopyText didn't reset ctxt->lasttext in some cases which could lead to various memory errors in relation with CDATA sections in input documents. Found by OSS-Fuzz. --- libxslt/transform.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libxslt/transform.c b/libxslt/transform.c index 95ebd073..d7ab0b66 100644 --- a/libxslt/transform.c +++ b/libxslt/transform.c @@ -1094,6 +1094,8 @@ xsltCopyText(xsltTransformContextPtr ctxt, xmlNodePtr target, if ((copy->content = xmlStrdup(cur->content)) == NULL) return NULL; } + + ctxt->lasttext = NULL; } else { /* * normal processing. keep counters to extend the text node -- 2.22.0
