[Libreoffice-commits] core.git: Branch 'distro/cib/libreoffice-5-2' - external/libxslt
Michael Stahl (via logerrit)
logerrit at kemper.freedesktop.org
Tue Apr 23 12:10:59 UTC 2019
external/libxslt/UnpackedTarball_xslt.mk | 1
external/libxslt/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6.patch.1 | 120 ++++++++++
2 files changed, 121 insertions(+)
New commits:
commit e3a7d1ff5086e252145f6ce429b0725ced340615
Author: Michael Stahl <Michael.Stahl at cib.de>
AuthorDate: Wed Apr 17 14:50:10 2019 +0200
Commit: Michael Stahl <Michael.Stahl at cib.de>
CommitDate: Tue Apr 23 14:09:56 2019 +0200
libxslt: add patch for CVE-2019-11068
Change-Id: I3fe30de8140dce3d81cdfae7d41e0bd465b1d5f4
Reviewed-on: https://gerrit.libreoffice.org/70879
Tested-by: Jenkins
Reviewed-by: Michael Stahl <Michael.Stahl at cib.de>
(cherry picked from commit 2d85b75b1220484aebd6e583d6d7aee71280e38e)
Reviewed-on: https://gerrit.libreoffice.org/70894
Reviewed-by: Thorsten Behrens <Thorsten.Behrens at CIB.de>
(cherry picked from commit 32948e7778b959ef1037d9be707a6bfc7db4160d)
diff --git a/external/libxslt/UnpackedTarball_xslt.mk b/external/libxslt/UnpackedTarball_xslt.mk
index f17a42aba179..04ef80703e86 100644
--- a/external/libxslt/UnpackedTarball_xslt.mk
+++ b/external/libxslt/UnpackedTarball_xslt.mk
@@ -17,6 +17,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,xslt,\
external/libxslt/libxslt-msvc.patch.2 \
external/libxslt/libxslt-1.1.26-memdump.patch \
external/libxslt/rpath.patch.0 \
+ external/libxslt/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6.patch.1 \
))
# vim: set noet sw=4 ts=4:
diff --git a/external/libxslt/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6.patch.1 b/external/libxslt/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6.patch.1
new file mode 100644
index 000000000000..260f35d1a35e
--- /dev/null
+++ b/external/libxslt/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6.patch.1
@@ -0,0 +1,120 @@
+From e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer at aevum.de>
+Date: Sun, 24 Mar 2019 09:51:39 +0100
+Subject: [PATCH] Fix security framework bypass
+
+xsltCheckRead and xsltCheckWrite return -1 in case of error but callers
+don't check for this condition and allow access. With a specially
+crafted URL, xsltCheckRead could be tricked into returning an error
+because of a supposedly invalid URL that would still be loaded
+succesfully later on.
+
+Fixes #12.
+
+Thanks to Felix Wilhelm for the report.
+---
+ libxslt/documents.c | 18 ++++++++++--------
+ libxslt/imports.c | 9 +++++----
+ libxslt/transform.c | 9 +++++----
+ libxslt/xslt.c | 9 +++++----
+ 4 files changed, 25 insertions(+), 20 deletions(-)
+
+diff --git a/libxslt/documents.c b/libxslt/documents.c
+index 3f3a7312..4aad11bb 100644
+--- a/libxslt/documents.c
++++ b/libxslt/documents.c
+@@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) {
+ int res;
+
+ res = xsltCheckRead(ctxt->sec, ctxt, URI);
+- if (res == 0) {
+- xsltTransformError(ctxt, NULL, NULL,
+- "xsltLoadDocument: read rights for %s denied\n",
+- URI);
++ if (res <= 0) {
++ if (res == 0)
++ xsltTransformError(ctxt, NULL, NULL,
++ "xsltLoadDocument: read rights for %s denied\n",
++ URI);
+ return(NULL);
+ }
+ }
+@@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) {
+ int res;
+
+ res = xsltCheckRead(sec, NULL, URI);
+- if (res == 0) {
+- xsltTransformError(NULL, NULL, NULL,
+- "xsltLoadStyleDocument: read rights for %s denied\n",
+- URI);
++ if (res <= 0) {
++ if (res == 0)
++ xsltTransformError(NULL, NULL, NULL,
++ "xsltLoadStyleDocument: read rights for %s denied\n",
++ URI);
+ return(NULL);
+ }
+ }
+diff --git a/libxslt/imports.c b/libxslt/imports.c
+index 874870cc..3783b247 100644
+--- a/libxslt/imports.c
++++ b/libxslt/imports.c
+@@ -130,10 +130,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) {
+ int secres;
+
+ secres = xsltCheckRead(sec, NULL, URI);
+- if (secres == 0) {
+- xsltTransformError(NULL, NULL, NULL,
+- "xsl:import: read rights for %s denied\n",
+- URI);
++ if (secres <= 0) {
++ if (secres == 0)
++ xsltTransformError(NULL, NULL, NULL,
++ "xsl:import: read rights for %s denied\n",
++ URI);
+ goto error;
+ }
+ }
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index 13793914..0636dbd0 100644
+--- a/libxslt/transform.c
++++ b/libxslt/transform.c
+@@ -3493,10 +3493,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node,
+ */
+ if (ctxt->sec != NULL) {
+ ret = xsltCheckWrite(ctxt->sec, ctxt, filename);
+- if (ret == 0) {
+- xsltTransformError(ctxt, NULL, inst,
+- "xsltDocumentElem: write rights for %s denied\n",
+- filename);
++ if (ret <= 0) {
++ if (ret == 0)
++ xsltTransformError(ctxt, NULL, inst,
++ "xsltDocumentElem: write rights for %s denied\n",
++ filename);
+ xmlFree(URL);
+ xmlFree(filename);
+ return;
+diff --git a/libxslt/xslt.c b/libxslt/xslt.c
+index 780a5ad7..a234eb79 100644
+--- a/libxslt/xslt.c
++++ b/libxslt/xslt.c
+@@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) {
+ int res;
+
+ res = xsltCheckRead(sec, NULL, filename);
+- if (res == 0) {
+- xsltTransformError(NULL, NULL, NULL,
+- "xsltParseStylesheetFile: read rights for %s denied\n",
+- filename);
++ if (res <= 0) {
++ if (res == 0)
++ xsltTransformError(NULL, NULL, NULL,
++ "xsltParseStylesheetFile: read rights for %s denied\n",
++ filename);
+ return(NULL);
+ }
+ }
+--
+2.18.1
+
More information about the Libreoffice-commits
mailing list