Hello community, here is the log from the commit of package libxslt for openSUSE:Factory checked in at 2017-05-10 20:32:05 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libxslt (Old) and /work/SRC/openSUSE:Factory/.libxslt.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "libxslt" Wed May 10 20:32:05 2017 rev:51 rq:491210 version:1.1.29 Changes: -------- --- /work/SRC/openSUSE:Factory/libxslt/libxslt.changes 2017-04-11 09:30:07.084595939 +0200 +++ /work/SRC/openSUSE:Factory/.libxslt.new/libxslt.changes 2017-05-10 20:32:06.946632913 +0200 @@ -1,0 +2,7 @@ +Tue Apr 25 15:03:30 UTC 2017 - pmonrealgonzalez@suse.com + +- Fixed CVE-2017-5029 bcs#1035905 + * Limit buffer size in xsltAddTextString to INT_MAX +- Added patch libxslt-1.1.28-CVE-2017-5029.patch + +------------------------------------------------------------------- New: ---- libxslt-1.1.28-CVE-2017-5029.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libxslt.spec ++++++ --- /var/tmp/diff_new_pack.fLXYtN/_old 2017-05-10 20:32:07.946491849 +0200 +++ /var/tmp/diff_new_pack.fLXYtN/_new 2017-05-10 20:32:07.950491285 +0200 @@ -33,6 +33,8 @@ Patch2: 0009-Make-generate-id-deterministic.patch Patch3: libxslt-CVE-2016-4738.patch Patch4: libxslt-random-seed.patch +# PATCH-FIX-UPSTREAM CVE-2017-5029 bsc#1035905 +Patch5: libxslt-1.1.28-CVE-2017-5029.patch BuildRequires: libgcrypt-devel BuildRequires: libgpg-error-devel BuildRequires: libtool @@ -103,6 +105,7 @@ %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 %build autoreconf -fvi ++++++ libxslt-1.1.28-CVE-2017-5029.patch ++++++
From 08ab2774b870de1c7b5a48693df75e8154addae5 Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer
Date: Thu, 12 Jan 2017 15:39:52 +0100 Subject: Check for integer overflow in xsltAddTextString
Limit buffer size in xsltAddTextString to INT_MAX. The issue can be exploited to trigger an out of bounds write on 64-bit systems. Originally reported to Chromium: https://crbug.com/676623 --- libxslt/transform.c | 25 ++++++++++++++++++++++--- libxslt/xsltInternals.h | 4 ++-- 2 files changed, 24 insertions(+), 5 deletions(-) diff --git a/libxslt/transform.c b/libxslt/transform.c index 519133f..02bff34 100644 --- a/libxslt/transform.c +++ b/libxslt/transform.c @@ -813,13 +813,32 @@ xsltAddTextString(xsltTransformContextPtr ctxt, xmlNodePtr target, return(target); if (ctxt->lasttext == target->content) { + int minSize; - if (ctxt->lasttuse + len >= ctxt->lasttsize) { + /* Check for integer overflow accounting for NUL terminator. */ + if (len >= INT_MAX - ctxt->lasttuse) { + xsltTransformError(ctxt, NULL, target, + "xsltCopyText: text allocation failed\n"); + return(NULL); + } + minSize = ctxt->lasttuse + len + 1; + + if (ctxt->lasttsize < minSize) { xmlChar *newbuf; int size; + int extra; + + /* Double buffer size but increase by at least 100 bytes. */ + extra = minSize < 100 ? 100 : minSize; + + /* Check for integer overflow. */ + if (extra > INT_MAX - ctxt->lasttsize) { + size = INT_MAX; + } + else { + size = ctxt->lasttsize + extra; + } - size = ctxt->lasttsize + len + 100; - size *= 2; newbuf = (xmlChar *) xmlRealloc(target->content,size); if (newbuf == NULL) { xsltTransformError(ctxt, NULL, target, diff --git a/libxslt/xsltInternals.h b/libxslt/xsltInternals.h index 060b178..5ad1771 100644 --- a/libxslt/xsltInternals.h +++ b/libxslt/xsltInternals.h @@ -1754,8 +1754,8 @@ struct _xsltTransformContext { * Speed optimization when coalescing text nodes */ const xmlChar *lasttext; /* last text node content */ - unsigned int lasttsize; /* last text node size */ - unsigned int lasttuse; /* last text node use */ + int lasttsize; /* last text node size */ + int lasttuse; /* last text node use */ /* * Per Context Debugging */ -- cgit v0.12