mirror of
https://git.yoctoproject.org/poky
synced 2026-04-21 21:32:12 +02:00
libxslt: Cve fix CVE-2019-11068
(From OE-Core rev: c9c3fabddb4e1779ef330f2073f85dce83cb460b) Signed-off-by: Muminul Islam <muislam@microsoft.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Muminul Islam
committed by
Richard Purdie
Richard Purdie
parent
26ab554fd5
commit
94ac57739c
128
meta/recipes-support/libxslt/libxslt/CVE-2019-11068.patch
Normal file
128
meta/recipes-support/libxslt/libxslt/CVE-2019-11068.patch
Normal file
@@ -0,0 +1,128 @@
|
||||
From aed812d8dbbb6d1337312652aa72aa7f44d2b07d Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Sun, 24 Mar 2019 09:51:39 +0100
|
||||
Subject: [PATCH] Fix security framework bypass
|
||||
|
||||
xsltCheckRead and xsltCheckWrite return -1 in case of error but callers
|
||||
don't check for this condition and allow access. With a specially
|
||||
crafted URL, xsltCheckRead could be tricked into returning an error
|
||||
because of a supposedly invalid URL that would still be loaded
|
||||
succesfully later on.
|
||||
|
||||
Fixes #12.
|
||||
|
||||
Thanks to Felix Wilhelm for the report.
|
||||
|
||||
Signed-off-by: Muminul Islam <muminul.islam@microsoft.com>
|
||||
|
||||
CVE: CVE-2019-11068
|
||||
|
||||
Upstream-Status: Backport
|
||||
|
||||
https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6
|
||||
---
|
||||
libxslt/documents.c | 18 ++++++++++--------
|
||||
libxslt/imports.c | 9 +++++----
|
||||
libxslt/transform.c | 9 +++++----
|
||||
libxslt/xslt.c | 9 +++++----
|
||||
4 files changed, 25 insertions(+), 20 deletions(-)
|
||||
|
||||
diff --git a/libxslt/documents.c b/libxslt/documents.c
|
||||
index 3f3a7312..4aad11bb 100644
|
||||
--- a/libxslt/documents.c
|
||||
+++ b/libxslt/documents.c
|
||||
@@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) {
|
||||
int res;
|
||||
|
||||
res = xsltCheckRead(ctxt->sec, ctxt, URI);
|
||||
- if (res == 0) {
|
||||
- xsltTransformError(ctxt, NULL, NULL,
|
||||
- "xsltLoadDocument: read rights for %s denied\n",
|
||||
- URI);
|
||||
+ if (res <= 0) {
|
||||
+ if (res == 0)
|
||||
+ xsltTransformError(ctxt, NULL, NULL,
|
||||
+ "xsltLoadDocument: read rights for %s denied\n",
|
||||
+ URI);
|
||||
return(NULL);
|
||||
}
|
||||
}
|
||||
@@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) {
|
||||
int res;
|
||||
|
||||
res = xsltCheckRead(sec, NULL, URI);
|
||||
- if (res == 0) {
|
||||
- xsltTransformError(NULL, NULL, NULL,
|
||||
- "xsltLoadStyleDocument: read rights for %s denied\n",
|
||||
- URI);
|
||||
+ if (res <= 0) {
|
||||
+ if (res == 0)
|
||||
+ xsltTransformError(NULL, NULL, NULL,
|
||||
+ "xsltLoadStyleDocument: read rights for %s denied\n",
|
||||
+ URI);
|
||||
return(NULL);
|
||||
}
|
||||
}
|
||||
diff --git a/libxslt/imports.c b/libxslt/imports.c
|
||||
index 7262aab9..b62e0877 100644
|
||||
--- a/libxslt/imports.c
|
||||
+++ b/libxslt/imports.c
|
||||
@@ -131,10 +131,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) {
|
||||
int secres;
|
||||
|
||||
secres = xsltCheckRead(sec, NULL, URI);
|
||||
- if (secres == 0) {
|
||||
- xsltTransformError(NULL, NULL, NULL,
|
||||
- "xsl:import: read rights for %s denied\n",
|
||||
- URI);
|
||||
+ if (secres <= 0) {
|
||||
+ if (secres == 0)
|
||||
+ xsltTransformError(NULL, NULL, NULL,
|
||||
+ "xsl:import: read rights for %s denied\n",
|
||||
+ URI);
|
||||
goto error;
|
||||
}
|
||||
}
|
||||
diff --git a/libxslt/transform.c b/libxslt/transform.c
|
||||
index 560f43ca..46eef553 100644
|
||||
--- a/libxslt/transform.c
|
||||
+++ b/libxslt/transform.c
|
||||
@@ -3485,10 +3485,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node,
|
||||
*/
|
||||
if (ctxt->sec != NULL) {
|
||||
ret = xsltCheckWrite(ctxt->sec, ctxt, filename);
|
||||
- if (ret == 0) {
|
||||
- xsltTransformError(ctxt, NULL, inst,
|
||||
- "xsltDocumentElem: write rights for %s denied\n",
|
||||
- filename);
|
||||
+ if (ret <= 0) {
|
||||
+ if (ret == 0)
|
||||
+ xsltTransformError(ctxt, NULL, inst,
|
||||
+ "xsltDocumentElem: write rights for %s denied\n",
|
||||
+ filename);
|
||||
xmlFree(URL);
|
||||
xmlFree(filename);
|
||||
return;
|
||||
diff --git a/libxslt/xslt.c b/libxslt/xslt.c
|
||||
index 54a39de9..359913e4 100644
|
||||
--- a/libxslt/xslt.c
|
||||
+++ b/libxslt/xslt.c
|
||||
@@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) {
|
||||
int res;
|
||||
|
||||
res = xsltCheckRead(sec, NULL, filename);
|
||||
- if (res == 0) {
|
||||
- xsltTransformError(NULL, NULL, NULL,
|
||||
- "xsltParseStylesheetFile: read rights for %s denied\n",
|
||||
- filename);
|
||||
+ if (res <= 0) {
|
||||
+ if (res == 0)
|
||||
+ xsltTransformError(NULL, NULL, NULL,
|
||||
+ "xsltParseStylesheetFile: read rights for %s denied\n",
|
||||
+ filename);
|
||||
return(NULL);
|
||||
}
|
||||
}
|
||||
--
|
||||
2.23.0
|
||||
|
||||
@@ -10,6 +10,7 @@ DEPENDS = "libxml2"
|
||||
|
||||
SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz \
|
||||
file://fix-rvts-handling.patch \
|
||||
file://CVE-2019-11068.patch \
|
||||
"
|
||||
|
||||
SRC_URI[md5sum] = "1fc72f98e98bf4443f1651165f3aa146"
|
||||
|
||||
Reference in New Issue
Block a user