Commit 584dbc2f authored by Gustavo Zacarias's avatar Gustavo Zacarias Committed by Peter Korsgaard
Browse files

libxslt: add multiple security patches 



Add security patches for CVE-2011-1202 and CVE-2011-3970.

Signed-off-by: default avatarGustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: default avatarPeter Korsgaard <jacmet@sunsite.dk>
parent 9ae23e39

package/libxslt/libxslt-1.1.26-id-generation.patch

0 → 100644
+56 −0
Original line number Diff line number Diff line 
From ecb6bcb8d1b7e44842edde3929f412d46b40c89f Mon Sep 17 00:00:00 2001

From: Daniel Veillard <veillard@redhat.com>

Date: Tue, 22 Feb 2011 02:14:23 +0000

Subject: Fix generate-id() to not expose object addresses



As pointed out by Chris Evans <scarybeasts@gmail.com> it's better

security wise to not expose object addresses directly, use a diff

w.r.t. the document root own address to avoid this

* libxslt/functions.c: fix IDs generation code

---

diff --git a/libxslt/functions.c b/libxslt/functions.c

index 4720c7a..de962f4 100644

--- a/libxslt/functions.c

+++ b/libxslt/functions.c

@@ -654,8 +654,9 @@ xsltFormatNumberFunction(xmlXPathParserContextPtr ctxt, int nargs)

 void

 xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){

     xmlNodePtr cur = NULL;

-    unsigned long val;

-    xmlChar str[20];

+    long val;

+    xmlChar str[30];

+    xmlDocPtr doc;

 

     if (nargs == 0) {

 	cur = ctxt->context->node;

@@ -694,9 +695,24 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){

      * Okay this is ugly but should work, use the NodePtr address

      * to forge the ID

      */

-    val = (unsigned long)((char *)cur - (char *)0);

-    val /= sizeof(xmlNode);

-    sprintf((char *)str, "id%ld", val);

+    if (cur->type != XML_NAMESPACE_DECL)

+        doc = cur->doc;

+    else {

+        xmlNsPtr ns = (xmlNsPtr) cur;

+

+        if (ns->context != NULL)

+            doc = ns->context;

+        else

+            doc = ctxt->context->doc;

+

+    }

+

+    val = (long)((char *)cur - (char *)doc);

+    if (val >= 0) {

+      sprintf((char *)str, "idp%ld", val);

+    } else {

+      sprintf((char *)str, "idm%ld", -val);

+    }

     valuePush(ctxt, xmlXPathNewString(str));

 }

 

--

cgit v0.8.3.4

package/libxslt/libxslt-1.1.26-pattern-out-of-bounds-read.patch

0 → 100644
+27 −0
Original line number Diff line number Diff line 
From fe5a4fa33eb85bce3253ed3742b1ea6c4b59b41b Mon Sep 17 00:00:00 2001

From: Abhishek Arya <inferno@chromium.org>

Date: Sun, 22 Jan 2012 17:47:50 +0800

Subject: [PATCH] Fix some case of pattern parsing errors



We could accidentally hit an off by one string array access

due to improper loop exit when parsing patterns

---

 libxslt/pattern.c |    2 ++

 1 files changed, 2 insertions(+), 0 deletions(-)



diff --git a/libxslt/pattern.c b/libxslt/pattern.c

index 6161376..1155b54 100644

--- a/libxslt/pattern.c

+++ b/libxslt/pattern.c

@@ -1867,6 +1867,8 @@ xsltCompilePatternInternal(const xmlChar *pattern, xmlDocPtr doc,

 		while ((pattern[end] != 0) && (pattern[end] != '"'))

 		    end++;

 	    }

+	    if (pattern[end] == 0)

+	        break;

 	    end++;

 	}

 	if (current == end) {

-- 

1.7.8.4