Package init
This commit is contained in:
dogsheng
parent
049c67f19e
commit
938e458485
70
CVE-2019-13118.patch
Normal file
70
CVE-2019-13118.patch
Normal file
@ -0,0 +1,70 @@
|
|||||||
|
From 6ce8de69330783977dd14f6569419489875fb71b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||||
|
Date: Mon, 3 Jun 2019 13:14:45 +0200
|
||||||
|
Subject: [PATCH] Fix uninitialized read with UTF-8 grouping chars
|
||||||
|
|
||||||
|
The character type in xsltFormatNumberConversion was too narrow and
|
||||||
|
an invalid character/length combination could be passed to
|
||||||
|
xsltNumberFormatDecimal, resulting in an uninitialized read.
|
||||||
|
|
||||||
|
Found by OSS-Fuzz.
|
||||||
|
---
|
||||||
|
libxslt/numbers.c | 5 +++--
|
||||||
|
tests/docs/bug-222.xml | 1 +
|
||||||
|
tests/general/bug-222.out | 2 ++
|
||||||
|
tests/general/bug-222.xsl | 6 ++++++
|
||||||
|
4 files changed, 12 insertions(+), 2 deletions(-)
|
||||||
|
create mode 100644 tests/docs/bug-222.xml
|
||||||
|
create mode 100644 tests/general/bug-222.out
|
||||||
|
create mode 100644 tests/general/bug-222.xsl
|
||||||
|
|
||||||
|
diff --git a/libxslt/numbers.c b/libxslt/numbers.c
|
||||||
|
index f1ed884..20b99d5 100644
|
||||||
|
--- a/libxslt/numbers.c
|
||||||
|
+++ b/libxslt/numbers.c
|
||||||
|
@@ -1298,13 +1298,14 @@ OUTPUT_NUMBER:
|
||||||
|
number = floor((scale * number + 0.5)) / scale;
|
||||||
|
if ((self->grouping != NULL) &&
|
||||||
|
(self->grouping[0] != 0)) {
|
||||||
|
+ int gchar;
|
||||||
|
|
||||||
|
len = xmlStrlen(self->grouping);
|
||||||
|
- pchar = xsltGetUTF8Char(self->grouping, &len);
|
||||||
|
+ gchar = xsltGetUTF8Char(self->grouping, &len);
|
||||||
|
xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
|
||||||
|
format_info.integer_digits,
|
||||||
|
format_info.group,
|
||||||
|
- pchar, len);
|
||||||
|
+ gchar, len);
|
||||||
|
} else
|
||||||
|
xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
|
||||||
|
format_info.integer_digits,
|
||||||
|
diff --git a/tests/docs/bug-222.xml b/tests/docs/bug-222.xml
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..69d62f2
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/docs/bug-222.xml
|
||||||
|
@@ -0,0 +1 @@
|
||||||
|
+<doc/>
|
||||||
|
diff --git a/tests/general/bug-222.out b/tests/general/bug-222.out
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..e313969
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/general/bug-222.out
|
||||||
|
@@ -0,0 +1,2 @@
|
||||||
|
+<?xml version="1.0"?>
|
||||||
|
+1⠢0
|
||||||
|
diff --git a/tests/general/bug-222.xsl b/tests/general/bug-222.xsl
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..e32dc47
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/general/bug-222.xsl
|
||||||
|
@@ -0,0 +1,6 @@
|
||||||
|
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
|
||||||
|
+ <xsl:decimal-format name="f" grouping-separator="⠢"/>
|
||||||
|
+ <xsl:template match="/">
|
||||||
|
+ <xsl:value-of select="format-number(10,'#⠢0','f')"/>
|
||||||
|
+ </xsl:template>
|
||||||
|
+</xsl:stylesheet>
|
||||||
|
--
|
||||||
|
1.7.12.4
|
||||||
29
CVE-2019-18197.patch
Normal file
29
CVE-2019-18197.patch
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
From 2232473733b7313d67de8836ea3b29eec6e8e285 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||||
|
Date: Sat, 17 Aug 2019 16:51:53 +0200
|
||||||
|
Subject: [PATCH] Fix dangling pointer in xsltCopyText
|
||||||
|
|
||||||
|
xsltCopyText didn't reset ctxt->lasttext in some cases which could
|
||||||
|
lead to various memory errors in relation with CDATA sections in input
|
||||||
|
documents.
|
||||||
|
|
||||||
|
Found by OSS-Fuzz.
|
||||||
|
---
|
||||||
|
libxslt/transform.c | 2 ++
|
||||||
|
1 file changed, 2 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/libxslt/transform.c b/libxslt/transform.c
|
||||||
|
index 95ebd073..d7ab0b66 100644
|
||||||
|
--- a/libxslt/transform.c
|
||||||
|
+++ b/libxslt/transform.c
|
||||||
|
@@ -1094,6 +1094,8 @@ xsltCopyText(xsltTransformContextPtr ctxt, xmlNodePtr target,
|
||||||
|
if ((copy->content = xmlStrdup(cur->content)) == NULL)
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ ctxt->lasttext = NULL;
|
||||||
|
} else {
|
||||||
|
/*
|
||||||
|
* normal processing. keep counters to extend the text node
|
||||||
|
--
|
||||||
|
2.22.0
|
||||||
@ -1,6 +1,6 @@
|
|||||||
Name: libxslt
|
Name: libxslt
|
||||||
Version: 1.1.32
|
Version: 1.1.32
|
||||||
Release: 4
|
Release: 5
|
||||||
Summary: XSLT Transformation Library
|
Summary: XSLT Transformation Library
|
||||||
License: MIT
|
License: MIT
|
||||||
URL: http://xmlsoft.org/libxslt/
|
URL: http://xmlsoft.org/libxslt/
|
||||||
@ -29,6 +29,8 @@ Patch6014:0015-Fix-numbering-in-non-Latin-scripts.patch
|
|||||||
Patch6015:0019-Avoid-quadratic-behavior-in-xsltSaveResultTo.patch
|
Patch6015:0019-Avoid-quadratic-behavior-in-xsltSaveResultTo.patch
|
||||||
Patch6016:0023-Fix-insertion-of-xsl-fallback-content.patch
|
Patch6016:0023-Fix-insertion-of-xsl-fallback-content.patch
|
||||||
Patch6017:0025-Fix-unsigned-integer-overflow-in-date.c.patch
|
Patch6017:0025-Fix-unsigned-integer-overflow-in-date.c.patch
|
||||||
|
Patch6018:CVE-2019-18197.patch
|
||||||
|
Patch6019:CVE-2019-13118.patch
|
||||||
|
|
||||||
BuildRequires: gcc make libtool autoconf automake libgcrypt-devel pkgconfig(libxml-2.0) >= 2.6.27
|
BuildRequires: gcc make libtool autoconf automake libgcrypt-devel pkgconfig(libxml-2.0) >= 2.6.27
|
||||||
|
|
||||||
@ -120,5 +122,8 @@ make check
|
|||||||
%doc python/tests/*.xsl
|
%doc python/tests/*.xsl
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Sat Dec 21 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.1.32-5
|
||||||
|
- Fix CVE-2019-18197 and CVE-2019-13118
|
||||||
|
|
||||||
* Tue Sep 03 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.1.32-4
|
* Tue Sep 03 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.1.32-4
|
||||||
- Package init
|
- Package init
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user