Mailinglist Archive: opensuse-commit (1903 mails)

< Previous Next >
commit libxslt for openSUSE:Factory
Hello community,

here is the log from the commit of package libxslt for openSUSE:Factory checked
in at 2019-04-17 10:04:44
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libxslt (Old)
and /work/SRC/openSUSE:Factory/.libxslt.new.17052 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "libxslt"

Wed Apr 17 10:04:44 2019 rev:57 rq:693134 version:1.1.33

Changes:
--------
--- /work/SRC/openSUSE:Factory/libxslt/libxslt-python.changes 2019-03-08
13:28:04.322997238 +0100
+++ /work/SRC/openSUSE:Factory/.libxslt.new.17052/libxslt-python.changes
2019-04-17 10:04:47.366530885 +0200
@@ -1,0 +2,10 @@
+Thu Apr 11 06:06:01 UTC 2019 - Pedro Monreal Gonzalez
<pmonrealgonzalez@xxxxxxxx>
+
+- Security fix: [bsc#1132160, CVE-2019-11068]
+ * Bypass of a protection mechanism because callers of xsltCheckRead
+ and xsltCheckWrite permit access even upon receiving a -1 error
+ code. xsltCheckRead can return -1 for a crafted URL that is not
+ actually invalid and is subsequently loaded.
+ * Added libxslt-CVE-2019-11068.patch
+
+-------------------------------------------------------------------
libxslt.changes: same change

New:
----
libxslt-CVE-2019-11068.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ libxslt-python.spec ++++++
--- /var/tmp/diff_new_pack.KlgHoT/_old 2019-04-17 10:04:50.038534103 +0200
+++ /var/tmp/diff_new_pack.KlgHoT/_new 2019-04-17 10:04:50.042534108 +0200
@@ -32,6 +32,8 @@
# it anyway; neither build the xsltproc subdir (not packaged here, faster)
Patch1: libxslt-do_not_build_doc_nor_xsltproc.patch
Patch2: libxslt-random-seed.patch
+# PATCH-FIX-UPSTREAM bsc#1132160 CVE-2019-11068 Fix security framework bypass
+Patch4: libxslt-CVE-2019-11068.patch
BuildRequires: libgcrypt-devel
BuildRequires: libgpg-error-devel
BuildRequires: libtool
@@ -58,6 +60,7 @@
%patch0
%patch1
%patch2 -p1
+%patch4 -p1

%build
autoreconf -fvi

++++++ libxslt.spec ++++++
--- /var/tmp/diff_new_pack.KlgHoT/_old 2019-04-17 10:04:50.058534128 +0200
+++ /var/tmp/diff_new_pack.KlgHoT/_new 2019-04-17 10:04:50.062534132 +0200
@@ -34,6 +34,8 @@
Patch1: libxslt-config-fixes.patch
Patch2: 0009-Make-generate-id-deterministic.patch
Patch3: libxslt-random-seed.patch
+# PATCH-FIX-UPSTREAM bsc#1132160 CVE-2019-11068 Fix security framework bypass
+Patch4: libxslt-CVE-2019-11068.patch
BuildRequires: libgcrypt-devel
BuildRequires: libgpg-error-devel
BuildRequires: libtool
@@ -102,6 +104,7 @@
%patch1
%patch2 -p1
%patch3 -p1
+%patch4 -p1

%build
autoreconf -fvi


++++++ libxslt-CVE-2019-11068.patch ++++++
From e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@xxxxxxxx>
Date: Sun, 24 Mar 2019 09:51:39 +0100
Subject: [PATCH] Fix security framework bypass

xsltCheckRead and xsltCheckWrite return -1 in case of error but callers
don't check for this condition and allow access. With a specially
crafted URL, xsltCheckRead could be tricked into returning an error
because of a supposedly invalid URL that would still be loaded
succesfully later on.

Fixes #12.

Thanks to Felix Wilhelm for the report.
---
libxslt/documents.c | 18 ++++++++++--------
libxslt/imports.c | 9 +++++----
libxslt/transform.c | 9 +++++----
libxslt/xslt.c | 9 +++++----
4 files changed, 25 insertions(+), 20 deletions(-)

diff --git a/libxslt/documents.c b/libxslt/documents.c
index 3f3a7312..4aad11bb 100644
--- a/libxslt/documents.c
+++ b/libxslt/documents.c
@@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const
xmlChar *URI) {
int res;

res = xsltCheckRead(ctxt->sec, ctxt, URI);
- if (res == 0) {
- xsltTransformError(ctxt, NULL, NULL,
- "xsltLoadDocument: read rights for %s denied\n",
- URI);
+ if (res <= 0) {
+ if (res == 0)
+ xsltTransformError(ctxt, NULL, NULL,
+ "xsltLoadDocument: read rights for %s denied\n",
+ URI);
return(NULL);
}
}
@@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const
xmlChar *URI) {
int res;

res = xsltCheckRead(sec, NULL, URI);
- if (res == 0) {
- xsltTransformError(NULL, NULL, NULL,
- "xsltLoadStyleDocument: read rights for %s denied\n",
- URI);
+ if (res <= 0) {
+ if (res == 0)
+ xsltTransformError(NULL, NULL, NULL,
+ "xsltLoadStyleDocument: read rights for %s denied\n",
+ URI);
return(NULL);
}
}
diff --git a/libxslt/imports.c b/libxslt/imports.c
index 874870cc..3783b247 100644
--- a/libxslt/imports.c
+++ b/libxslt/imports.c
@@ -130,10 +130,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style,
xmlNodePtr cur) {
int secres;

secres = xsltCheckRead(sec, NULL, URI);
- if (secres == 0) {
- xsltTransformError(NULL, NULL, NULL,
- "xsl:import: read rights for %s denied\n",
- URI);
+ if (secres <= 0) {
+ if (secres == 0)
+ xsltTransformError(NULL, NULL, NULL,
+ "xsl:import: read rights for %s denied\n",
+ URI);
goto error;
}
}
diff --git a/libxslt/transform.c b/libxslt/transform.c
index 13793914..0636dbd0 100644
--- a/libxslt/transform.c
+++ b/libxslt/transform.c
@@ -3493,10 +3493,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt,
xmlNodePtr node,
*/
if (ctxt->sec != NULL) {
ret = xsltCheckWrite(ctxt->sec, ctxt, filename);
- if (ret == 0) {
- xsltTransformError(ctxt, NULL, inst,
- "xsltDocumentElem: write rights for %s denied\n",
- filename);
+ if (ret <= 0) {
+ if (ret == 0)
+ xsltTransformError(ctxt, NULL, inst,
+ "xsltDocumentElem: write rights for %s denied\n",
+ filename);
xmlFree(URL);
xmlFree(filename);
return;
diff --git a/libxslt/xslt.c b/libxslt/xslt.c
index 780a5ad7..a234eb79 100644
--- a/libxslt/xslt.c
+++ b/libxslt/xslt.c
@@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) {
int res;

res = xsltCheckRead(sec, NULL, filename);
- if (res == 0) {
- xsltTransformError(NULL, NULL, NULL,
- "xsltParseStylesheetFile: read rights for %s denied\n",
- filename);
+ if (res <= 0) {
+ if (res == 0)
+ xsltTransformError(NULL, NULL, NULL,
+ "xsltParseStylesheetFile: read rights for %s denied\n",
+ filename);
return(NULL);
}
}
--
2.18.1



< Previous Next >
This Thread
  • No further messages