* [bug#29797] [PATCH] gnu: libxslt: Fix CVE-2017-5029 and re-apply the fix for CVE-2016-4738.
@ 2017-12-21 7:19 Leo Famulari
2017-12-21 10:15 ` Ludovic Courtès
0 siblings, 1 reply; 3+ messages in thread
From: Leo Famulari @ 2017-12-21 7:19 UTC (permalink / raw)
To: 29797
This is a followup to commit 2663c38826cd6c2ef0c5119f8072fac8e89b2e9b.
* gnu/packages/xml.scm (libxslt)[replacement]: New field.
(libxslt/fixed): New variable.
* gnu/packages/patches/libxslt-CVE-2017-5029.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
---
gnu/local.mk | 1 +
gnu/packages/patches/libxslt-CVE-2017-5029.patch | 82 ++++++++++++++++++++++++
gnu/packages/xml.scm | 13 ++++
3 files changed, 96 insertions(+)
create mode 100644 gnu/packages/patches/libxslt-CVE-2017-5029.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 8ffcc5800..f619d1363 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -849,6 +849,7 @@ dist_patch_DATA = \
%D%/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch \
%D%/packages/patches/libxslt-generated-ids.patch \
%D%/packages/patches/libxslt-CVE-2016-4738.patch \
+ %D%/packages/patches/libxslt-CVE-2017-5029.patch \
%D%/packages/patches/libxt-guix-search-paths.patch \
%D%/packages/patches/lierolibre-check-unaligned-access.patch \
%D%/packages/patches/lierolibre-is-free-software.patch \
diff --git a/gnu/packages/patches/libxslt-CVE-2017-5029.patch b/gnu/packages/patches/libxslt-CVE-2017-5029.patch
new file mode 100644
index 000000000..cd86928b2
--- /dev/null
+++ b/gnu/packages/patches/libxslt-CVE-2017-5029.patch
@@ -0,0 +1,82 @@
+Fix CVE-2017-5029:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5029
+
+Patch copied from upstream source repository:
+
+https://git.gnome.org/browse/libxslt/commit/?id=08ab2774b870de1c7b5a48693df75e8154addae5
+
+From 08ab2774b870de1c7b5a48693df75e8154addae5 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 12 Jan 2017 15:39:52 +0100
+Subject: [PATCH] Check for integer overflow in xsltAddTextString
+
+Limit buffer size in xsltAddTextString to INT_MAX. The issue can be
+exploited to trigger an out of bounds write on 64-bit systems.
+
+Originally reported to Chromium:
+
+https://crbug.com/676623
+---
+ libxslt/transform.c | 25 ++++++++++++++++++++++---
+ libxslt/xsltInternals.h | 4 ++--
+ 2 files changed, 24 insertions(+), 5 deletions(-)
+
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index 519133fc..02bff34a 100644
+--- a/libxslt/transform.c
++++ b/libxslt/transform.c
+@@ -813,13 +813,32 @@ xsltAddTextString(xsltTransformContextPtr ctxt, xmlNodePtr target,
+ return(target);
+
+ if (ctxt->lasttext == target->content) {
++ int minSize;
+
+- if (ctxt->lasttuse + len >= ctxt->lasttsize) {
++ /* Check for integer overflow accounting for NUL terminator. */
++ if (len >= INT_MAX - ctxt->lasttuse) {
++ xsltTransformError(ctxt, NULL, target,
++ "xsltCopyText: text allocation failed\n");
++ return(NULL);
++ }
++ minSize = ctxt->lasttuse + len + 1;
++
++ if (ctxt->lasttsize < minSize) {
+ xmlChar *newbuf;
+ int size;
++ int extra;
++
++ /* Double buffer size but increase by at least 100 bytes. */
++ extra = minSize < 100 ? 100 : minSize;
++
++ /* Check for integer overflow. */
++ if (extra > INT_MAX - ctxt->lasttsize) {
++ size = INT_MAX;
++ }
++ else {
++ size = ctxt->lasttsize + extra;
++ }
+
+- size = ctxt->lasttsize + len + 100;
+- size *= 2;
+ newbuf = (xmlChar *) xmlRealloc(target->content,size);
+ if (newbuf == NULL) {
+ xsltTransformError(ctxt, NULL, target,
+diff --git a/libxslt/xsltInternals.h b/libxslt/xsltInternals.h
+index 060b1783..5ad17719 100644
+--- a/libxslt/xsltInternals.h
++++ b/libxslt/xsltInternals.h
+@@ -1754,8 +1754,8 @@ struct _xsltTransformContext {
+ * Speed optimization when coalescing text nodes
+ */
+ const xmlChar *lasttext; /* last text node content */
+- unsigned int lasttsize; /* last text node size */
+- unsigned int lasttuse; /* last text node use */
++ int lasttsize; /* last text node size */
++ int lasttuse; /* last text node use */
+ /*
+ * Per Context Debugging
+ */
+--
+2.15.1
+
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index 4f75de344..9cf9e1411 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -188,6 +188,7 @@ project (but it is usable outside of the Gnome platform).")
(define-public libxslt
(package
(name "libxslt")
+ (replacement libxslt/fixed)
(version "1.1.29")
(source (origin
(method url-fetch)
@@ -197,6 +198,9 @@ project (but it is usable outside of the Gnome platform).")
(sha256
(base32
"1klh81xbm9ppzgqk339097i39b7fnpmlj8lzn8bpczl3aww6x5xm"))
+ ;; XXX Oops, a redefinition of the patches field, which means the
+ ;; patch for CVE-2016-4738 is not used. Fixed in the definition of
+ ;; libxslt-fixed below.
(patches (search-patches "libxslt-generated-ids.patch"))))
(build-system gnu-build-system)
(home-page "http://xmlsoft.org/XSLT/index.html")
@@ -210,6 +214,15 @@ project (but it is usable outside of the Gnome platform).")
based on libxml for XML parsing, tree manipulation and XPath support.")
(license license:x11)))
+(define libxslt/fixed
+ (package
+ (inherit libxslt)
+ (source (origin
+ (inherit (package-source libxslt))
+ (patches (search-patches "libxslt-CVE-2016-4738.patch"
+ "libxslt-CVE-2017-5029.patch"
+ "libxslt-generated-ids.patch"))))))
+
(define-public perl-graph-readwrite
(package
(name "perl-graph-readwrite")
--
2.15.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [bug#29797] [PATCH] gnu: libxslt: Fix CVE-2017-5029 and re-apply the fix for CVE-2016-4738.
2017-12-21 7:19 [bug#29797] [PATCH] gnu: libxslt: Fix CVE-2017-5029 and re-apply the fix for CVE-2016-4738 Leo Famulari
@ 2017-12-21 10:15 ` Ludovic Courtès
2017-12-21 17:30 ` bug#29797: " Leo Famulari
0 siblings, 1 reply; 3+ messages in thread
From: Ludovic Courtès @ 2017-12-21 10:15 UTC (permalink / raw)
To: Leo Famulari; +Cc: 29797
Leo Famulari <leo@famulari.name> skribis:
> This is a followup to commit 2663c38826cd6c2ef0c5119f8072fac8e89b2e9b.
>
> * gnu/packages/xml.scm (libxslt)[replacement]: New field.
> (libxslt/fixed): New variable.
> * gnu/packages/patches/libxslt-CVE-2017-5029.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
[...]
> --- a/gnu/packages/xml.scm
> +++ b/gnu/packages/xml.scm
> @@ -188,6 +188,7 @@ project (but it is usable outside of the Gnome platform).")
> (define-public libxslt
> (package
> (name "libxslt")
> + (replacement libxslt/fixed)
> (version "1.1.29")
> (source (origin
> (method url-fetch)
> @@ -197,6 +198,9 @@ project (but it is usable outside of the Gnome platform).")
> (sha256
> (base32
> "1klh81xbm9ppzgqk339097i39b7fnpmlj8lzn8bpczl3aww6x5xm"))
> + ;; XXX Oops, a redefinition of the patches field, which means the
> + ;; patch for CVE-2016-4738 is not used. Fixed in the definition of
> + ;; libxslt-fixed below.
> (patches (search-patches "libxslt-generated-ids.patch"))))
Oops, indeed! You can remove the unused ‘patches’ line while you’re at it.
> (build-system gnu-build-system)
> (home-page "http://xmlsoft.org/XSLT/index.html")
> @@ -210,6 +214,15 @@ project (but it is usable outside of the Gnome platform).")
> based on libxml for XML parsing, tree manipulation and XPath support.")
> (license license:x11)))
>
> +(define libxslt/fixed
> + (package
> + (inherit libxslt)
> + (source (origin
> + (inherit (package-source libxslt))
> + (patches (search-patches "libxslt-CVE-2016-4738.patch"
> + "libxslt-CVE-2017-5029.patch"
> + "libxslt-generated-ids.patch"))))))
LGTM, thanks!
Ludo’.
^ permalink raw reply [flat|nested] 3+ messages in thread
* bug#29797: [PATCH] gnu: libxslt: Fix CVE-2017-5029 and re-apply the fix for CVE-2016-4738.
2017-12-21 10:15 ` Ludovic Courtès
@ 2017-12-21 17:30 ` Leo Famulari
0 siblings, 0 replies; 3+ messages in thread
From: Leo Famulari @ 2017-12-21 17:30 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 29797-done
[-- Attachment #1: Type: text/plain, Size: 572 bytes --]
On Thu, Dec 21, 2017 at 11:15:46AM +0100, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
> > + ;; XXX Oops, a redefinition of the patches field, which means the
> > + ;; patch for CVE-2016-4738 is not used. Fixed in the definition of
> > + ;; libxslt-fixed below.
> > (patches (search-patches "libxslt-generated-ids.patch"))))
>
> Oops, indeed! You can remove the unused ‘patches’ line while you’re at it.
I commented it out and pushed as
0c9c9526bb3fb665997b3b054f8b57ffdb559043.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-12-21 17:31 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-12-21 7:19 [bug#29797] [PATCH] gnu: libxslt: Fix CVE-2017-5029 and re-apply the fix for CVE-2016-4738 Leo Famulari
2017-12-21 10:15 ` Ludovic Courtès
2017-12-21 17:30 ` bug#29797: " Leo Famulari
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).