unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* Libxslt CVE-2016-4738
@ 2016-11-08 22:16 Leo Famulari
  2016-11-09  0:57 ` Marius Bakke
  0 siblings, 1 reply; 4+ messages in thread
From: Leo Famulari @ 2016-11-08 22:16 UTC (permalink / raw)
  To: guix-devel


[-- Attachment #1.1: Type: text/plain, Size: 49 bytes --]

Here is a patch to fix CVE-2016-4738 in libxslt.

[-- Attachment #1.2: 0001-gnu-libxslt-Fix-CVE-2016-4738.patch --]
[-- Type: text/plain, Size: 3856 bytes --]

From 1cbfeb5bb98924eddf1726fe56987fd1d282e7f8 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Tue, 8 Nov 2016 17:12:01 -0500
Subject: [PATCH] gnu: libxslt: Fix CVE-2016-4738.

* gnu/packages/patches/libxslt-CVE-2016-4738.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/xml.scm (libxslt)[replacement]: New field.
(libxslt/fixed): New variable.
---
 gnu/local.mk                                     |  1 +
 gnu/packages/patches/libxslt-CVE-2016-4738.patch | 39 ++++++++++++++++++++++++
 gnu/packages/xml.scm                             |  9 ++++++
 3 files changed, 49 insertions(+)
 create mode 100644 gnu/packages/patches/libxslt-CVE-2016-4738.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 3962813..6e152eb 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -692,6 +692,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/libxv-CVE-2016-5407.patch		\
   %D%/packages/patches/libxvmc-CVE-2016-7953.patch		\
   %D%/packages/patches/libxslt-generated-ids.patch		\
+  %D%/packages/patches/libxslt-CVE-2016-4738.patch		\
   %D%/packages/patches/lirc-localstatedir.patch			\
   %D%/packages/patches/llvm-for-extempore.patch			\
   %D%/packages/patches/lm-sensors-hwmon-attrs.patch		\
diff --git a/gnu/packages/patches/libxslt-CVE-2016-4738.patch b/gnu/packages/patches/libxslt-CVE-2016-4738.patch
new file mode 100644
index 0000000..a7537c6
--- /dev/null
+++ b/gnu/packages/patches/libxslt-CVE-2016-4738.patch
@@ -0,0 +1,39 @@
+Fix CVE-2016-4738:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4738
+https://bugs.chromium.org/p/chromium/issues/detail?id=619006
+
+Patch copied from upstream source repository:
+https://git.gnome.org/browse/libxslt/commit/?id=eb1030de31165b68487f288308f9d1810fed6880
+
+From eb1030de31165b68487f288308f9d1810fed6880 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Fri, 10 Jun 2016 14:23:58 +0200
+Subject: [PATCH] Fix heap overread in xsltFormatNumberConversion
+
+An empty decimal-separator could cause a heap overread. This can be
+exploited to leak a couple of bytes after the buffer that holds the
+pattern string.
+
+Found with afl-fuzz and ASan.
+---
+ libxslt/numbers.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index d1549b4..e78c46b 100644
+--- a/libxslt/numbers.c
++++ b/libxslt/numbers.c
+@@ -1090,7 +1090,8 @@ xsltFormatNumberConversion(xsltDecimalFormatPtr self,
+     }
+ 
+     /* We have finished the integer part, now work on fraction */
+-    if (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) {
++    if ( (*the_format != 0) &&
++         (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) ) {
+         format_info.add_decimal = TRUE;
+ 	the_format += xsltUTF8Size(the_format);	/* Skip over the decimal */
+     }
+-- 
+2.10.2
+
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index 879b37a..d6c034b 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -147,6 +147,7 @@ project (but it is usable outside of the Gnome platform).")
 (define-public libxslt
   (package
     (name "libxslt")
+    (replacement libxslt/fixed)
     (version "1.1.29")
     (source (origin
              (method url-fetch)
@@ -168,6 +169,14 @@ project (but it is usable outside of the Gnome platform).")
 based on libxml for XML parsing, tree manipulation and XPath support.")
     (license license:x11)))
 
+(define libxslt/fixed
+  (package
+    (inherit libxslt)
+    (name "libxslt")
+    (source (origin
+              (inherit (package-source libxslt))
+              (patches (search-patches "libxslt-CVE-2016-4738.patch"))))))
+
 (define-public perl-graph-readwrite
   (package
     (name "perl-graph-readwrite")
-- 
2.10.2


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: Libxslt CVE-2016-4738
  2016-11-08 22:16 Libxslt CVE-2016-4738 Leo Famulari
@ 2016-11-09  0:57 ` Marius Bakke
  2016-11-09  1:49   ` Kei Kebreau
  2016-11-09 15:20   ` Leo Famulari
  0 siblings, 2 replies; 4+ messages in thread
From: Marius Bakke @ 2016-11-09  0:57 UTC (permalink / raw)
  To: Leo Famulari, guix-devel

[-- Attachment #1: Type: text/plain, Size: 545 bytes --]

Leo Famulari <leo@famulari.name> writes:

> Here is a patch to fix CVE-2016-4738 in libxslt.
> From 1cbfeb5bb98924eddf1726fe56987fd1d282e7f8 Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo@famulari.name>
> Date: Tue, 8 Nov 2016 17:12:01 -0500
> Subject: [PATCH] gnu: libxslt: Fix CVE-2016-4738.
>
> * gnu/packages/patches/libxslt-CVE-2016-4738.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/xml.scm (libxslt)[replacement]: New field.
> (libxslt/fixed): New variable.

Yay, more grafts ;)

Anyway, LGTM, thanks!

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 454 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Libxslt CVE-2016-4738
  2016-11-09  0:57 ` Marius Bakke
@ 2016-11-09  1:49   ` Kei Kebreau
  2016-11-09 15:20   ` Leo Famulari
  1 sibling, 0 replies; 4+ messages in thread
From: Kei Kebreau @ 2016-11-09  1:49 UTC (permalink / raw)
  To: Marius Bakke; +Cc: guix-devel

[-- Attachment #1: Type: text/plain, Size: 633 bytes --]

Marius Bakke <mbakke@fastmail.com> writes:

> Leo Famulari <leo@famulari.name> writes:
>
>> Here is a patch to fix CVE-2016-4738 in libxslt.
>> From 1cbfeb5bb98924eddf1726fe56987fd1d282e7f8 Mon Sep 17 00:00:00 2001
>> From: Leo Famulari <leo@famulari.name>
>> Date: Tue, 8 Nov 2016 17:12:01 -0500
>> Subject: [PATCH] gnu: libxslt: Fix CVE-2016-4738.
>>
>> * gnu/packages/patches/libxslt-CVE-2016-4738.patch: New file.
>> * gnu/local.mk (dist_patch_DATA): Add it.
>> * gnu/packages/xml.scm (libxslt)[replacement]: New field.
>> (libxslt/fixed): New variable.
>
> Yay, more grafts ;)
Aw yeah!

>
> Anyway, LGTM, thanks!

LGTM as well!

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 800 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Libxslt CVE-2016-4738
  2016-11-09  0:57 ` Marius Bakke
  2016-11-09  1:49   ` Kei Kebreau
@ 2016-11-09 15:20   ` Leo Famulari
  1 sibling, 0 replies; 4+ messages in thread
From: Leo Famulari @ 2016-11-09 15:20 UTC (permalink / raw)
  To: Marius Bakke; +Cc: guix-devel

[-- Attachment #1: Type: text/plain, Size: 735 bytes --]

On Wed, Nov 09, 2016 at 12:57:50AM +0000, Marius Bakke wrote:
> Leo Famulari <leo@famulari.name> writes:
> 
> > Here is a patch to fix CVE-2016-4738 in libxslt.
> > From 1cbfeb5bb98924eddf1726fe56987fd1d282e7f8 Mon Sep 17 00:00:00 2001
> > From: Leo Famulari <leo@famulari.name>
> > Date: Tue, 8 Nov 2016 17:12:01 -0500
> > Subject: [PATCH] gnu: libxslt: Fix CVE-2016-4738.
> >
> > * gnu/packages/patches/libxslt-CVE-2016-4738.patch: New file.
> > * gnu/local.mk (dist_patch_DATA): Add it.
> > * gnu/packages/xml.scm (libxslt)[replacement]: New field.
> > (libxslt/fixed): New variable.
> 
> Yay, more grafts ;)
> 
> Anyway, LGTM, thanks!

Thanks for the reviews. Pushed as
0b34b58688ac0d9bc0e2700acf82269e67ccdfa3

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2016-11-09 15:21 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-11-08 22:16 Libxslt CVE-2016-4738 Leo Famulari
2016-11-09  0:57 ` Marius Bakke
2016-11-09  1:49   ` Kei Kebreau
2016-11-09 15:20   ` Leo Famulari

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).