From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Libxslt CVE-2016-4738 Date: Tue, 8 Nov 2016 17:16:16 -0500 Message-ID: <20161108221616.GA2468@jasmine> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="ADZbWkCsHQ7r3kzd" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:38675) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1c4Egp-0008Tf-Kc for guix-devel@gnu.org; Tue, 08 Nov 2016 17:16:24 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1c4Egl-0000sG-4d for guix-devel@gnu.org; Tue, 08 Nov 2016 17:16:23 -0500 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:36521) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1c4Egl-0000rh-01 for guix-devel@gnu.org; Tue, 08 Nov 2016 17:16:19 -0500 Received: from localhost (c-68-81-58-201.hsd1.pa.comcast.net [68.81.58.201]) by mail.messagingengine.com (Postfix) with ESMTPA id B23D2F29D1 for ; Tue, 8 Nov 2016 17:16:17 -0500 (EST) Content-Disposition: inline List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org --ADZbWkCsHQ7r3kzd Content-Type: multipart/mixed; boundary="Kj7319i9nmIyA2yE" Content-Disposition: inline --Kj7319i9nmIyA2yE Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Here is a patch to fix CVE-2016-4738 in libxslt. --Kj7319i9nmIyA2yE Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="0001-gnu-libxslt-Fix-CVE-2016-4738.patch" Content-Transfer-Encoding: quoted-printable =46rom 1cbfeb5bb98924eddf1726fe56987fd1d282e7f8 Mon Sep 17 00:00:00 2001 =46rom: Leo Famulari Date: Tue, 8 Nov 2016 17:12:01 -0500 Subject: [PATCH] gnu: libxslt: Fix CVE-2016-4738. * gnu/packages/patches/libxslt-CVE-2016-4738.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/xml.scm (libxslt)[replacement]: New field. (libxslt/fixed): New variable. --- gnu/local.mk | 1 + gnu/packages/patches/libxslt-CVE-2016-4738.patch | 39 ++++++++++++++++++++= ++++ gnu/packages/xml.scm | 9 ++++++ 3 files changed, 49 insertions(+) create mode 100644 gnu/packages/patches/libxslt-CVE-2016-4738.patch diff --git a/gnu/local.mk b/gnu/local.mk index 3962813..6e152eb 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -692,6 +692,7 @@ dist_patch_DATA =3D \ %D%/packages/patches/libxv-CVE-2016-5407.patch \ %D%/packages/patches/libxvmc-CVE-2016-7953.patch \ %D%/packages/patches/libxslt-generated-ids.patch \ + %D%/packages/patches/libxslt-CVE-2016-4738.patch \ %D%/packages/patches/lirc-localstatedir.patch \ %D%/packages/patches/llvm-for-extempore.patch \ %D%/packages/patches/lm-sensors-hwmon-attrs.patch \ diff --git a/gnu/packages/patches/libxslt-CVE-2016-4738.patch b/gnu/package= s/patches/libxslt-CVE-2016-4738.patch new file mode 100644 index 0000000..a7537c6 --- /dev/null +++ b/gnu/packages/patches/libxslt-CVE-2016-4738.patch @@ -0,0 +1,39 @@ +Fix CVE-2016-4738: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-4738 +https://bugs.chromium.org/p/chromium/issues/detail?id=3D619006 + +Patch copied from upstream source repository: +https://git.gnome.org/browse/libxslt/commit/?id=3Deb1030de31165b68487f2883= 08f9d1810fed6880 + +From eb1030de31165b68487f288308f9d1810fed6880 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Fri, 10 Jun 2016 14:23:58 +0200 +Subject: [PATCH] Fix heap overread in xsltFormatNumberConversion + +An empty decimal-separator could cause a heap overread. This can be +exploited to leak a couple of bytes after the buffer that holds the +pattern string. + +Found with afl-fuzz and ASan. +--- + libxslt/numbers.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libxslt/numbers.c b/libxslt/numbers.c +index d1549b4..e78c46b 100644 +--- a/libxslt/numbers.c ++++ b/libxslt/numbers.c +@@ -1090,7 +1090,8 @@ xsltFormatNumberConversion(xsltDecimalFormatPtr self, + } +=20 + /* We have finished the integer part, now work on fraction */ +- if (xsltUTF8Charcmp(the_format, self->decimalPoint) =3D=3D 0) { ++ if ( (*the_format !=3D 0) && ++ (xsltUTF8Charcmp(the_format, self->decimalPoint) =3D=3D 0) ) { + format_info.add_decimal =3D TRUE; + the_format +=3D xsltUTF8Size(the_format); /* Skip over the decimal */ + } +--=20 +2.10.2 + diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index 879b37a..d6c034b 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -147,6 +147,7 @@ project (but it is usable outside of the Gnome platform= ).") (define-public libxslt (package (name "libxslt") + (replacement libxslt/fixed) (version "1.1.29") (source (origin (method url-fetch) @@ -168,6 +169,14 @@ project (but it is usable outside of the Gnome platfor= m).") based on libxml for XML parsing, tree manipulation and XPath support.") (license license:x11))) =20 +(define libxslt/fixed + (package + (inherit libxslt) + (name "libxslt") + (source (origin + (inherit (package-source libxslt)) + (patches (search-patches "libxslt-CVE-2016-4738.patch")))))) + (define-public perl-graph-readwrite (package (name "perl-graph-readwrite") --=20 2.10.2 --Kj7319i9nmIyA2yE-- --ADZbWkCsHQ7r3kzd Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCAAGBQJYIk6tAAoJECZG+jC6yn8IXskQAIFtwMb8rkC6511deJr/QHTZ NoHk0CYfjegewIBrlRxpmjB18xQiW2qqHOB94wqYSOB9bzKuKBOlFJpAWV5go88g IdQx5LumdLFghFn2WBSp/ijT4Rp8ysyjdleEr24UfPAL5yQ7i0tIw9z/f4oRLMjp Y6ACPLgaCVoeWuLdeRs9oc43L/trjjZRrEzZSf5IR1ySZXx1IBCsgyHTUEFJh6Pq yD4uBr3J46UReisRMWKQWRAp6pzkY71X3BiGDA4SzsZwoYt9Kj0docSCO9m/vZui vUHxdg4vloz+7bz9/jfcidvdxRAuK1Xlli8jJwE+4X6hwe1qOJz/cke/r6CQLF1O gQD3wpnEamTXhY6ixDLgqPJDKdvmitKmqfxTtK3SsLcAx2MXkGbUz4DgRblp+bzR lDZ+8IsG2zayjQR5O0UBz9MxDFPmlwrPh5lJRD56EXp3YUYLzGVO6ihwKzEqILuD bhFuJ/Pf+oJrVRoH5vHN1F76wET7Cbo5bkywv1f9eyBzIAGfj0yoapDDiogBDjD5 TTc08zmuyK5+JsL+XiMeOKzNySNb3ECCR2WRR2et5XueZx7oBFt22NOYMNSu6xrN Y/tYiA8mwVgUCFLARK8eCP0JTDlWqFT+u+sMSxH0pQqjGlFnq1Wed4KNqrCqDE6O SLHGoAnJhGfqSkELkV4z =FYT3 -----END PGP SIGNATURE----- --ADZbWkCsHQ7r3kzd--