Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1898 from sparklemotion/1892-libxslt-patch-for-us…
…n-3947 Backport libxslt patch for CVE-2019-11068
- Loading branch information
Showing
3 changed files
with
128 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
120 changes: 120 additions & 0 deletions
120
patches/libxslt/0001-Fix-security-framework-bypass.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,120 @@ | ||
| From e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 Mon Sep 17 00:00:00 2001 | ||
| From: Nick Wellnhofer <wellnhofer@aevum.de> | ||
| Date: Sun, 24 Mar 2019 09:51:39 +0100 | ||
| Subject: [PATCH] Fix security framework bypass | ||
|
|
||
| xsltCheckRead and xsltCheckWrite return -1 in case of error but callers | ||
| don't check for this condition and allow access. With a specially | ||
| crafted URL, xsltCheckRead could be tricked into returning an error | ||
| because of a supposedly invalid URL that would still be loaded | ||
| succesfully later on. | ||
|
|
||
| Fixes #12. | ||
|
|
||
| Thanks to Felix Wilhelm for the report. | ||
| --- | ||
| libxslt/documents.c | 18 ++++++++++-------- | ||
| libxslt/imports.c | 9 +++++---- | ||
| libxslt/transform.c | 9 +++++---- | ||
| libxslt/xslt.c | 9 +++++---- | ||
| 4 files changed, 25 insertions(+), 20 deletions(-) | ||
|
|
||
| diff --git a/libxslt/documents.c b/libxslt/documents.c | ||
| index 3f3a731..4aad11b 100644 | ||
| --- a/libxslt/documents.c | ||
| +++ b/libxslt/documents.c | ||
| @@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) { | ||
| int res; | ||
|
|
||
| res = xsltCheckRead(ctxt->sec, ctxt, URI); | ||
| - if (res == 0) { | ||
| - xsltTransformError(ctxt, NULL, NULL, | ||
| - "xsltLoadDocument: read rights for %s denied\n", | ||
| - URI); | ||
| + if (res <= 0) { | ||
| + if (res == 0) | ||
| + xsltTransformError(ctxt, NULL, NULL, | ||
| + "xsltLoadDocument: read rights for %s denied\n", | ||
| + URI); | ||
| return(NULL); | ||
| } | ||
| } | ||
| @@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) { | ||
| int res; | ||
|
|
||
| res = xsltCheckRead(sec, NULL, URI); | ||
| - if (res == 0) { | ||
| - xsltTransformError(NULL, NULL, NULL, | ||
| - "xsltLoadStyleDocument: read rights for %s denied\n", | ||
| - URI); | ||
| + if (res <= 0) { | ||
| + if (res == 0) | ||
| + xsltTransformError(NULL, NULL, NULL, | ||
| + "xsltLoadStyleDocument: read rights for %s denied\n", | ||
| + URI); | ||
| return(NULL); | ||
| } | ||
| } | ||
| diff --git a/libxslt/imports.c b/libxslt/imports.c | ||
| index 874870c..3783b24 100644 | ||
| --- a/libxslt/imports.c | ||
| +++ b/libxslt/imports.c | ||
| @@ -130,10 +130,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) { | ||
| int secres; | ||
|
|
||
| secres = xsltCheckRead(sec, NULL, URI); | ||
| - if (secres == 0) { | ||
| - xsltTransformError(NULL, NULL, NULL, | ||
| - "xsl:import: read rights for %s denied\n", | ||
| - URI); | ||
| + if (secres <= 0) { | ||
| + if (secres == 0) | ||
| + xsltTransformError(NULL, NULL, NULL, | ||
| + "xsl:import: read rights for %s denied\n", | ||
| + URI); | ||
| goto error; | ||
| } | ||
| } | ||
| diff --git a/libxslt/transform.c b/libxslt/transform.c | ||
| index 1379391..0636dbd 100644 | ||
| --- a/libxslt/transform.c | ||
| +++ b/libxslt/transform.c | ||
| @@ -3493,10 +3493,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node, | ||
| */ | ||
| if (ctxt->sec != NULL) { | ||
| ret = xsltCheckWrite(ctxt->sec, ctxt, filename); | ||
| - if (ret == 0) { | ||
| - xsltTransformError(ctxt, NULL, inst, | ||
| - "xsltDocumentElem: write rights for %s denied\n", | ||
| - filename); | ||
| + if (ret <= 0) { | ||
| + if (ret == 0) | ||
| + xsltTransformError(ctxt, NULL, inst, | ||
| + "xsltDocumentElem: write rights for %s denied\n", | ||
| + filename); | ||
| xmlFree(URL); | ||
| xmlFree(filename); | ||
| return; | ||
| diff --git a/libxslt/xslt.c b/libxslt/xslt.c | ||
| index 780a5ad..a234eb7 100644 | ||
| --- a/libxslt/xslt.c | ||
| +++ b/libxslt/xslt.c | ||
| @@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) { | ||
| int res; | ||
|
|
||
| res = xsltCheckRead(sec, NULL, filename); | ||
| - if (res == 0) { | ||
| - xsltTransformError(NULL, NULL, NULL, | ||
| - "xsltParseStylesheetFile: read rights for %s denied\n", | ||
| - filename); | ||
| + if (res <= 0) { | ||
| + if (res == 0) | ||
| + xsltTransformError(NULL, NULL, NULL, | ||
| + "xsltParseStylesheetFile: read rights for %s denied\n", | ||
| + filename); | ||
| return(NULL); | ||
| } | ||
| } | ||
| -- | ||
| 2.17.1 | ||
|
|