diff --git a/CVE-2019-13118.patch b/CVE-2019-13118.patch new file mode 100644 index 0000000..4baeed7 --- /dev/null +++ b/CVE-2019-13118.patch @@ -0,0 +1,70 @@ +From 6ce8de69330783977dd14f6569419489875fb71b Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 3 Jun 2019 13:14:45 +0200 +Subject: [PATCH] Fix uninitialized read with UTF-8 grouping chars + +The character type in xsltFormatNumberConversion was too narrow and +an invalid character/length combination could be passed to +xsltNumberFormatDecimal, resulting in an uninitialized read. + +Found by OSS-Fuzz. +--- + libxslt/numbers.c | 5 +++-- + tests/docs/bug-222.xml | 1 + + tests/general/bug-222.out | 2 ++ + tests/general/bug-222.xsl | 6 ++++++ + 4 files changed, 12 insertions(+), 2 deletions(-) + create mode 100644 tests/docs/bug-222.xml + create mode 100644 tests/general/bug-222.out + create mode 100644 tests/general/bug-222.xsl + +diff --git a/libxslt/numbers.c b/libxslt/numbers.c +index f1ed884..20b99d5 100644 +--- a/libxslt/numbers.c ++++ b/libxslt/numbers.c +@@ -1298,13 +1298,14 @@ OUTPUT_NUMBER: + number = floor((scale * number + 0.5)) / scale; + if ((self->grouping != NULL) && + (self->grouping[0] != 0)) { ++ int gchar; + + len = xmlStrlen(self->grouping); +- pchar = xsltGetUTF8Char(self->grouping, &len); ++ gchar = xsltGetUTF8Char(self->grouping, &len); + xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0], + format_info.integer_digits, + format_info.group, +- pchar, len); ++ gchar, len); + } else + xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0], + format_info.integer_digits, +diff --git a/tests/docs/bug-222.xml b/tests/docs/bug-222.xml +new file mode 100644 +index 0000000..69d62f2 +--- /dev/null ++++ b/tests/docs/bug-222.xml +@@ -0,0 +1 @@ ++ +diff --git a/tests/general/bug-222.out b/tests/general/bug-222.out +new file mode 100644 +index 0000000..e313969 +--- /dev/null ++++ b/tests/general/bug-222.out +@@ -0,0 +1,2 @@ ++ ++1⠢0 +diff --git a/tests/general/bug-222.xsl b/tests/general/bug-222.xsl +new file mode 100644 +index 0000000..e32dc47 +--- /dev/null ++++ b/tests/general/bug-222.xsl +@@ -0,0 +1,6 @@ ++ ++ ++ ++ ++ ++ +-- +1.7.12.4 diff --git a/CVE-2019-18197.patch b/CVE-2019-18197.patch new file mode 100644 index 0000000..7e4cb07 --- /dev/null +++ b/CVE-2019-18197.patch @@ -0,0 +1,29 @@ +From 2232473733b7313d67de8836ea3b29eec6e8e285 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat, 17 Aug 2019 16:51:53 +0200 +Subject: [PATCH] Fix dangling pointer in xsltCopyText + +xsltCopyText didn't reset ctxt->lasttext in some cases which could +lead to various memory errors in relation with CDATA sections in input +documents. + +Found by OSS-Fuzz. +--- + libxslt/transform.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/libxslt/transform.c b/libxslt/transform.c +index 95ebd073..d7ab0b66 100644 +--- a/libxslt/transform.c ++++ b/libxslt/transform.c +@@ -1094,6 +1094,8 @@ xsltCopyText(xsltTransformContextPtr ctxt, xmlNodePtr target, + if ((copy->content = xmlStrdup(cur->content)) == NULL) + return NULL; + } ++ ++ ctxt->lasttext = NULL; + } else { + /* + * normal processing. keep counters to extend the text node +-- +2.22.0 diff --git a/libxslt.spec b/libxslt.spec index b3cdeca..70947ec 100644 --- a/libxslt.spec +++ b/libxslt.spec @@ -1,6 +1,6 @@ Name: libxslt Version: 1.1.32 -Release: 4 +Release: 5 Summary: XSLT Transformation Library License: MIT URL: http://xmlsoft.org/libxslt/ @@ -29,6 +29,8 @@ Patch6014:0015-Fix-numbering-in-non-Latin-scripts.patch Patch6015:0019-Avoid-quadratic-behavior-in-xsltSaveResultTo.patch Patch6016:0023-Fix-insertion-of-xsl-fallback-content.patch Patch6017:0025-Fix-unsigned-integer-overflow-in-date.c.patch +Patch6018:CVE-2019-18197.patch +Patch6019:CVE-2019-13118.patch BuildRequires: gcc make libtool autoconf automake libgcrypt-devel pkgconfig(libxml-2.0) >= 2.6.27 @@ -120,5 +122,8 @@ make check %doc python/tests/*.xsl %changelog +* Sat Dec 21 2019 openEuler Buildteam - 1.1.32-5 +- Fix CVE-2019-18197 and CVE-2019-13118 + * Tue Sep 03 2019 openEuler Buildteam - 1.1.32-4 - Package init