[xml/sgml-pkgs] Bug#703933: libxslt: CVE-2012-6139

Salvatore Bonaccorso carnil at debian.org
Mon Mar 25 23:03:07 UTC 2013 

Hi

Slightly refreshed patches taken from upstream git commits attached.
But the resulting package is not yet tested (passed the testsuite).

Regards,
Salvatore
-------------- next part --------------
diff -Nru libxslt-1.1.26/debian/changelog libxslt-1.1.26/debian/changelog
--- libxslt-1.1.26/debian/changelog	2012-10-02 17:55:02.000000000 +0200
+++ libxslt-1.1.26/debian/changelog	2013-03-25 23:49:09.000000000 +0100
@@ -1,3 +1,11 @@
+libxslt (1.1.26-14.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Add patches to fix denial of service vulnerability (CVE-2012-6139)
+    (Closes: #703933)
+
+ -- Salvatore Bonaccorso <carnil at debian.org>  Mon, 25 Mar 2013 23:48:39 +0100
+
 libxslt (1.1.26-14) unstable; urgency=low
 
   * Patch to fix three CVEs (Closes: #689422):
diff -Nru libxslt-1.1.26/debian/patches/0009-Fix-crash-with-empty-xsl-key-match-attribute.patch libxslt-1.1.26/debian/patches/0009-Fix-crash-with-empty-xsl-key-match-attribute.patch
--- libxslt-1.1.26/debian/patches/0009-Fix-crash-with-empty-xsl-key-match-attribute.patch	1970-01-01 01:00:00.000000000 +0100
+++ libxslt-1.1.26/debian/patches/0009-Fix-crash-with-empty-xsl-key-match-attribute.patch	2013-03-25 23:49:09.000000000 +0100
@@ -0,0 +1,64 @@
+From dc11b6b379a882418093ecc8adf11f6166682e8d Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer at aevum.de>
+Date: Sun, 21 Oct 2012 19:02:25 +0200
+Subject: [PATCH] Fix crash with empty xsl:key/@match attribute
+
+See https://bugzilla.gnome.org/show_bug.cgi?id=685328
+
+Also improve some xsl:key error messages.
+---
+ libxslt/keys.c |   16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+--- a/libxslt/keys.c
++++ b/libxslt/keys.c
+@@ -311,8 +311,8 @@
+ 	        end = skipPredicate(match, end);
+ 		if (end <= 0) {
+ 		    xsltTransformError(NULL, style, inst,
+-		                       "key pattern is malformed: %s",
+-				       key->match);
++		        "xsl:key : 'match' pattern is malformed: %s",
++		        key->match);
+ 		    if (style != NULL) style->errors++;
+ 		    goto error;
+ 		}
+@@ -321,7 +321,7 @@
+ 	}
+ 	if (current == end) {
+ 	    xsltTransformError(NULL, style, inst,
+-			       "key pattern is empty\n");
++			       "xsl:key : 'match' pattern is empty\n");
+ 	    if (style != NULL) style->errors++;
+ 	    goto error;
+ 	}
+@@ -344,6 +344,12 @@
+ 	}
+ 	current = end;
+     }
++    if (pattern == NULL) {
++        xsltTransformError(NULL, style, inst,
++                           "xsl:key : 'match' pattern is empty\n");
++        if (style != NULL) style->errors++;
++        goto error;
++    }
+ #ifdef WITH_XSLT_DEBUG_KEYS
+     xsltGenericDebug(xsltGenericDebugContext,
+ 	"   resulting pattern %s\n", pattern);
+@@ -359,14 +365,14 @@
+     key->comp = xsltXPathCompile(style, pattern);
+     if (key->comp == NULL) {
+ 	xsltTransformError(NULL, style, inst,
+-		"xsl:key : XPath pattern compilation failed '%s'\n",
++		"xsl:key : 'match' pattern compilation failed '%s'\n",
+ 		         pattern);
+ 	if (style != NULL) style->errors++;
+     }
+     key->usecomp = xsltXPathCompile(style, use);
+     if (key->usecomp == NULL) {
+ 	xsltTransformError(NULL, style, inst,
+-		"xsl:key : XPath pattern compilation failed '%s'\n",
++		"xsl:key : 'use' expression compilation failed '%s'\n",
+ 		         use);
+ 	if (style != NULL) style->errors++;
+     }
diff -Nru libxslt-1.1.26/debian/patches/0010-Crash-when-passing-an-uninitialized-variable-to-docu.patch libxslt-1.1.26/debian/patches/0010-Crash-when-passing-an-uninitialized-variable-to-docu.patch
--- libxslt-1.1.26/debian/patches/0010-Crash-when-passing-an-uninitialized-variable-to-docu.patch	1970-01-01 01:00:00.000000000 +0100
+++ libxslt-1.1.26/debian/patches/0010-Crash-when-passing-an-uninitialized-variable-to-docu.patch	2013-03-25 23:49:09.000000000 +0100
@@ -0,0 +1,85 @@
+From 6c99c519d97e5fcbec7a9537d190efb442e4e833 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer at aevum.de>
+Date: Wed, 10 Oct 2012 12:09:36 +0200
+Subject: [PATCH] Crash when passing an uninitialized variable to document()
+
+https://bugzilla.gnome.org/show_bug.cgi?id=685330
+
+Missing check for NULL
+---
+ libxslt/functions.c       |    5 +++--
+ tests/docs/Makefile.am    |    1 +
+ tests/docs/bug-180.xml    |    2 ++
+ tests/general/Makefile.am |    1 +
+ tests/general/bug-180.err |    4 ++++
+ tests/general/bug-180.xsl |    8 ++++++++
+ 6 files changed, 19 insertions(+), 2 deletions(-)
+ create mode 100644 tests/docs/bug-180.xml
+ create mode 100644 tests/general/bug-180.err
+ create mode 100644 tests/general/bug-180.out
+ create mode 100644 tests/general/bug-180.xsl
+
+--- a/libxslt/functions.c
++++ b/libxslt/functions.c
+@@ -260,7 +260,7 @@
+         obj = valuePop(ctxt);
+         ret = xmlXPathNewNodeSet(NULL);
+ 
+-        if (obj->nodesetval) {
++        if ((obj != NULL) && obj->nodesetval) {
+             for (i = 0; i < obj->nodesetval->nodeNr; i++) {
+                 valuePush(ctxt,
+                           xmlXPathNewNodeSet(obj->nodesetval->nodeTab[i]));
+@@ -280,7 +280,8 @@
+             }
+         }
+ 
+-        xmlXPathFreeObject(obj);
++        if (obj != NULL)
++            xmlXPathFreeObject(obj);
+         if (obj2 != NULL)
+             xmlXPathFreeObject(obj2);
+         valuePush(ctxt, ret);
+--- /dev/null
++++ b/tests/docs/bug-180.xml
+@@ -0,0 +1,2 @@
++<doc/>
++
+--- /dev/null
++++ b/tests/general/bug-180.err
+@@ -0,0 +1,4 @@
++runtime error: file ./bug-180.xsl line 4 element copy-of
++Variable 'xxx' has not been declared.
++XPath error : Stack usage errror
++xmlXPathCompiledEval: 1 objects left on the stack.
+--- /dev/null
++++ b/tests/general/bug-180.xsl
+@@ -0,0 +1,8 @@
++<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
++
++  <xsl:template match="/">
++      <xsl:copy-of select=" * | document($xxx) "/>
++  </xsl:template>
++
++</xsl:stylesheet>
++
+--- a/tests/docs/Makefile.am
++++ b/tests/docs/Makefile.am
+@@ -168,6 +168,7 @@
+ 	bug-167.xml \
+ 	bug-168.xml \
+ 	bug-169.xml \
++	bug-180.xml \
+ 	character.xml \
+ 	array.xml \
+ 	items.xml
+--- a/tests/general/Makefile.am
++++ b/tests/general/Makefile.am
+@@ -177,6 +177,7 @@
+     bug-167.out bug-167.xsl \
+     bug-168.out bug-168.xsl \
+     bug-169.out bug-169.xsl bug-169.imp \
++    bug-180.out bug-180.xsl bug-180.err \
+     character.out character.xsl \
+     character2.out character2.xsl \
+     itemschoose.out itemschoose.xsl \
diff -Nru libxslt-1.1.26/debian/patches/series libxslt-1.1.26/debian/patches/series
--- libxslt-1.1.26/debian/patches/series	2012-10-02 17:53:16.000000000 +0200
+++ libxslt-1.1.26/debian/patches/series	2013-03-25 23:49:09.000000000 +0100
@@ -6,3 +6,5 @@
 0006-cve-2012-2870.patch
 0007-Fix-default-template-processing-on-namespace-nodes.patch
 0008-Fix-a-dictionary-string-usage.patch
+0009-Fix-crash-with-empty-xsl-key-match-attribute.patch
+0010-Crash-when-passing-an-uninitialized-variable-to-docu.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0009-Fix-crash-with-empty-xsl-key-match-attribute.patch
Type: text/x-diff
Size: 2064 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/debian-xml-sgml-pkgs/attachments/20130326/08c2873c/attachment-0002.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0010-Crash-when-passing-an-uninitialized-variable-to-docu.patch
Type: text/x-diff
Size: 2524 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/debian-xml-sgml-pkgs/attachments/20130326/08c2873c/attachment-0003.patch>

More information about the debian-xml-sgml-pkgs mailing list