[xml/sgml-pkgs] Bug#703933: Bug#703933: libxslt: CVE-2012-6139

Salvatore Bonaccorso carnil at debian.org
Tue Mar 26 20:16:58 UTC 2013 

Hi Aron!

On Tue, Mar 26, 2013 at 04:05:16PM +0800, Aron Xu wrote:
> Hi,
> 
> Please go ahead with NMU, and thank you very much!

Uploaded now the package with the patch. Here again for reference in
case you want to commit it to the git repo.

Regards and thanks for the ack. With that I uploaded without the
delaying queue.

Salvatore
-------------- next part --------------
diff -Nru libxslt-1.1.26/debian/changelog libxslt-1.1.26/debian/changelog
--- libxslt-1.1.26/debian/changelog	2012-10-02 17:55:02.000000000 +0200
+++ libxslt-1.1.26/debian/changelog	2013-03-26 20:43:41.000000000 +0100
@@ -1,3 +1,12 @@
+libxslt (1.1.26-14.1) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Upload as NMU acknowledged by Aron Xu.
+  * Add patches to fix denial of service vulnerability (CVE-2012-6139)
+    (Closes: #703933)
+
+ -- Salvatore Bonaccorso <carnil at debian.org>  Tue, 26 Mar 2013 20:31:18 +0100
+
 libxslt (1.1.26-14) unstable; urgency=low
 
   * Patch to fix three CVEs (Closes: #689422):
diff -Nru libxslt-1.1.26/debian/patches/0009-Fix-crash-with-empty-xsl-key-match-attribute.patch libxslt-1.1.26/debian/patches/0009-Fix-crash-with-empty-xsl-key-match-attribute.patch
--- libxslt-1.1.26/debian/patches/0009-Fix-crash-with-empty-xsl-key-match-attribute.patch	1970-01-01 01:00:00.000000000 +0100
+++ libxslt-1.1.26/debian/patches/0009-Fix-crash-with-empty-xsl-key-match-attribute.patch	2013-03-26 20:43:41.000000000 +0100
@@ -0,0 +1,64 @@
+From dc11b6b379a882418093ecc8adf11f6166682e8d Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer at aevum.de>
+Date: Sun, 21 Oct 2012 19:02:25 +0200
+Subject: [PATCH] Fix crash with empty xsl:key/@match attribute
+
+See https://bugzilla.gnome.org/show_bug.cgi?id=685328
+
+Also improve some xsl:key error messages.
+---
+ libxslt/keys.c |   16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+--- a/libxslt/keys.c
++++ b/libxslt/keys.c
+@@ -311,8 +311,8 @@
+ 	        end = skipPredicate(match, end);
+ 		if (end <= 0) {
+ 		    xsltTransformError(NULL, style, inst,
+-		                       "key pattern is malformed: %s",
+-				       key->match);
++		        "xsl:key : 'match' pattern is malformed: %s",
++		        key->match);
+ 		    if (style != NULL) style->errors++;
+ 		    goto error;
+ 		}
+@@ -321,7 +321,7 @@
+ 	}
+ 	if (current == end) {
+ 	    xsltTransformError(NULL, style, inst,
+-			       "key pattern is empty\n");
++			       "xsl:key : 'match' pattern is empty\n");
+ 	    if (style != NULL) style->errors++;
+ 	    goto error;
+ 	}
+@@ -344,6 +344,12 @@
+ 	}
+ 	current = end;
+     }
++    if (pattern == NULL) {
++        xsltTransformError(NULL, style, inst,
++                           "xsl:key : 'match' pattern is empty\n");
++        if (style != NULL) style->errors++;
++        goto error;
++    }
+ #ifdef WITH_XSLT_DEBUG_KEYS
+     xsltGenericDebug(xsltGenericDebugContext,
+ 	"   resulting pattern %s\n", pattern);
+@@ -359,14 +365,14 @@
+     key->comp = xsltXPathCompile(style, pattern);
+     if (key->comp == NULL) {
+ 	xsltTransformError(NULL, style, inst,
+-		"xsl:key : XPath pattern compilation failed '%s'\n",
++		"xsl:key : 'match' pattern compilation failed '%s'\n",
+ 		         pattern);
+ 	if (style != NULL) style->errors++;
+     }
+     key->usecomp = xsltXPathCompile(style, use);
+     if (key->usecomp == NULL) {
+ 	xsltTransformError(NULL, style, inst,
+-		"xsl:key : XPath pattern compilation failed '%s'\n",
++		"xsl:key : 'use' expression compilation failed '%s'\n",
+ 		         use);
+ 	if (style != NULL) style->errors++;
+     }
diff -Nru libxslt-1.1.26/debian/patches/0010-Crash-when-passing-an-uninitialized-variable-to-docu.patch libxslt-1.1.26/debian/patches/0010-Crash-when-passing-an-uninitialized-variable-to-docu.patch
--- libxslt-1.1.26/debian/patches/0010-Crash-when-passing-an-uninitialized-variable-to-docu.patch	1970-01-01 01:00:00.000000000 +0100
+++ libxslt-1.1.26/debian/patches/0010-Crash-when-passing-an-uninitialized-variable-to-docu.patch	2013-03-26 20:43:41.000000000 +0100
@@ -0,0 +1,85 @@
+From 6c99c519d97e5fcbec7a9537d190efb442e4e833 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer at aevum.de>
+Date: Wed, 10 Oct 2012 12:09:36 +0200
+Subject: [PATCH] Crash when passing an uninitialized variable to document()
+
+https://bugzilla.gnome.org/show_bug.cgi?id=685330
+
+Missing check for NULL
+---
+ libxslt/functions.c       |    5 +++--
+ tests/docs/Makefile.am    |    1 +
+ tests/docs/bug-180.xml    |    2 ++
+ tests/general/Makefile.am |    1 +
+ tests/general/bug-180.err |    4 ++++
+ tests/general/bug-180.xsl |    8 ++++++++
+ 6 files changed, 19 insertions(+), 2 deletions(-)
+ create mode 100644 tests/docs/bug-180.xml
+ create mode 100644 tests/general/bug-180.err
+ create mode 100644 tests/general/bug-180.out
+ create mode 100644 tests/general/bug-180.xsl
+
+--- a/libxslt/functions.c
++++ b/libxslt/functions.c
+@@ -260,7 +260,7 @@
+         obj = valuePop(ctxt);
+         ret = xmlXPathNewNodeSet(NULL);
+ 
+-        if (obj->nodesetval) {
++        if ((obj != NULL) && obj->nodesetval) {
+             for (i = 0; i < obj->nodesetval->nodeNr; i++) {
+                 valuePush(ctxt,
+                           xmlXPathNewNodeSet(obj->nodesetval->nodeTab[i]));
+@@ -280,7 +280,8 @@
+             }
+         }
+ 
+-        xmlXPathFreeObject(obj);
++        if (obj != NULL)
++            xmlXPathFreeObject(obj);
+         if (obj2 != NULL)
+             xmlXPathFreeObject(obj2);
+         valuePush(ctxt, ret);
+--- /dev/null
++++ b/tests/docs/bug-180.xml
+@@ -0,0 +1,2 @@
++<doc/>
++
+--- /dev/null
++++ b/tests/general/bug-180.err
+@@ -0,0 +1,4 @@
++runtime error: file ./bug-180.xsl line 4 element copy-of
++Variable 'xxx' has not been declared.
++XPath error : Stack usage errror
++xmlXPathCompiledEval: 1 objects left on the stack.
+--- /dev/null
++++ b/tests/general/bug-180.xsl
+@@ -0,0 +1,8 @@
++<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
++
++  <xsl:template match="/">
++      <xsl:copy-of select=" * | document($xxx) "/>
++  </xsl:template>
++
++</xsl:stylesheet>
++
+--- a/tests/docs/Makefile.am
++++ b/tests/docs/Makefile.am
+@@ -168,6 +168,7 @@
+ 	bug-167.xml \
+ 	bug-168.xml \
+ 	bug-169.xml \
++	bug-180.xml \
+ 	character.xml \
+ 	array.xml \
+ 	items.xml
+--- a/tests/general/Makefile.am
++++ b/tests/general/Makefile.am
+@@ -177,6 +177,7 @@
+     bug-167.out bug-167.xsl \
+     bug-168.out bug-168.xsl \
+     bug-169.out bug-169.xsl bug-169.imp \
++    bug-180.out bug-180.xsl bug-180.err \
+     character.out character.xsl \
+     character2.out character2.xsl \
+     itemschoose.out itemschoose.xsl \
diff -Nru libxslt-1.1.26/debian/patches/series libxslt-1.1.26/debian/patches/series
--- libxslt-1.1.26/debian/patches/series	2012-10-02 17:53:16.000000000 +0200
+++ libxslt-1.1.26/debian/patches/series	2013-03-26 20:43:41.000000000 +0100
@@ -6,3 +6,5 @@
 0006-cve-2012-2870.patch
 0007-Fix-default-template-processing-on-namespace-nodes.patch
 0008-Fix-a-dictionary-string-usage.patch
+0009-Fix-crash-with-empty-xsl-key-match-attribute.patch
+0010-Crash-when-passing-an-uninitialized-variable-to-docu.patch

More information about the debian-xml-sgml-pkgs mailing list