From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: Libxslt CVE-2016-4738
Date: Tue, 8 Nov 2016 17:16:16 -0500
Message-ID: <20161108221616.GA2468@jasmine>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="ADZbWkCsHQ7r3kzd"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:38675)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1c4Egp-0008Tf-Kc
	for guix-devel@gnu.org; Tue, 08 Nov 2016 17:16:24 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1c4Egl-0000sG-4d
	for guix-devel@gnu.org; Tue, 08 Nov 2016 17:16:23 -0500
Received: from out4-smtp.messagingengine.com ([66.111.4.28]:36521)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <leo@famulari.name>) id 1c4Egl-0000rh-01
	for guix-devel@gnu.org; Tue, 08 Nov 2016 17:16:19 -0500
Received: from localhost (c-68-81-58-201.hsd1.pa.comcast.net [68.81.58.201])
	by mail.messagingengine.com (Postfix) with ESMTPA id B23D2F29D1
	for <guix-devel@gnu.org>; Tue,  8 Nov 2016 17:16:17 -0500 (EST)
Content-Disposition: inline
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: guix-devel@gnu.org


--ADZbWkCsHQ7r3kzd
Content-Type: multipart/mixed; boundary="Kj7319i9nmIyA2yE"
Content-Disposition: inline


--Kj7319i9nmIyA2yE
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Here is a patch to fix CVE-2016-4738 in libxslt.

--Kj7319i9nmIyA2yE
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="0001-gnu-libxslt-Fix-CVE-2016-4738.patch"
Content-Transfer-Encoding: quoted-printable

=46rom 1cbfeb5bb98924eddf1726fe56987fd1d282e7f8 Mon Sep 17 00:00:00 2001
=46rom: Leo Famulari <leo@famulari.name>
Date: Tue, 8 Nov 2016 17:12:01 -0500
Subject: [PATCH] gnu: libxslt: Fix CVE-2016-4738.

* gnu/packages/patches/libxslt-CVE-2016-4738.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/xml.scm (libxslt)[replacement]: New field.
(libxslt/fixed): New variable.
---
 gnu/local.mk                                     |  1 +
 gnu/packages/patches/libxslt-CVE-2016-4738.patch | 39 ++++++++++++++++++++=
++++
 gnu/packages/xml.scm                             |  9 ++++++
 3 files changed, 49 insertions(+)
 create mode 100644 gnu/packages/patches/libxslt-CVE-2016-4738.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 3962813..6e152eb 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -692,6 +692,7 @@ dist_patch_DATA =3D						\
   %D%/packages/patches/libxv-CVE-2016-5407.patch		\
   %D%/packages/patches/libxvmc-CVE-2016-7953.patch		\
   %D%/packages/patches/libxslt-generated-ids.patch		\
+  %D%/packages/patches/libxslt-CVE-2016-4738.patch		\
   %D%/packages/patches/lirc-localstatedir.patch			\
   %D%/packages/patches/llvm-for-extempore.patch			\
   %D%/packages/patches/lm-sensors-hwmon-attrs.patch		\
diff --git a/gnu/packages/patches/libxslt-CVE-2016-4738.patch b/gnu/package=
s/patches/libxslt-CVE-2016-4738.patch
new file mode 100644
index 0000000..a7537c6
--- /dev/null
+++ b/gnu/packages/patches/libxslt-CVE-2016-4738.patch
@@ -0,0 +1,39 @@
+Fix CVE-2016-4738:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-4738
+https://bugs.chromium.org/p/chromium/issues/detail?id=3D619006
+
+Patch copied from upstream source repository:
+https://git.gnome.org/browse/libxslt/commit/?id=3Deb1030de31165b68487f2883=
08f9d1810fed6880
+
+From eb1030de31165b68487f288308f9d1810fed6880 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Fri, 10 Jun 2016 14:23:58 +0200
+Subject: [PATCH] Fix heap overread in xsltFormatNumberConversion
+
+An empty decimal-separator could cause a heap overread. This can be
+exploited to leak a couple of bytes after the buffer that holds the
+pattern string.
+
+Found with afl-fuzz and ASan.
+---
+ libxslt/numbers.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index d1549b4..e78c46b 100644
+--- a/libxslt/numbers.c
++++ b/libxslt/numbers.c
+@@ -1090,7 +1090,8 @@ xsltFormatNumberConversion(xsltDecimalFormatPtr self,
+     }
+=20
+     /* We have finished the integer part, now work on fraction */
+-    if (xsltUTF8Charcmp(the_format, self->decimalPoint) =3D=3D 0) {
++    if ( (*the_format !=3D 0) &&
++         (xsltUTF8Charcmp(the_format, self->decimalPoint) =3D=3D 0) ) {
+         format_info.add_decimal =3D TRUE;
+ 	the_format +=3D xsltUTF8Size(the_format);	/* Skip over the decimal */
+     }
+--=20
+2.10.2
+
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index 879b37a..d6c034b 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -147,6 +147,7 @@ project (but it is usable outside of the Gnome platform=
).")
 (define-public libxslt
   (package
     (name "libxslt")
+    (replacement libxslt/fixed)
     (version "1.1.29")
     (source (origin
              (method url-fetch)
@@ -168,6 +169,14 @@ project (but it is usable outside of the Gnome platfor=
m).")
 based on libxml for XML parsing, tree manipulation and XPath support.")
     (license license:x11)))
=20
+(define libxslt/fixed
+  (package
+    (inherit libxslt)
+    (name "libxslt")
+    (source (origin
+              (inherit (package-source libxslt))
+              (patches (search-patches "libxslt-CVE-2016-4738.patch"))))))
+
 (define-public perl-graph-readwrite
   (package
     (name "perl-graph-readwrite")
--=20
2.10.2


--Kj7319i9nmIyA2yE--

--ADZbWkCsHQ7r3kzd
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJYIk6tAAoJECZG+jC6yn8IXskQAIFtwMb8rkC6511deJr/QHTZ
NoHk0CYfjegewIBrlRxpmjB18xQiW2qqHOB94wqYSOB9bzKuKBOlFJpAWV5go88g
IdQx5LumdLFghFn2WBSp/ijT4Rp8ysyjdleEr24UfPAL5yQ7i0tIw9z/f4oRLMjp
Y6ACPLgaCVoeWuLdeRs9oc43L/trjjZRrEzZSf5IR1ySZXx1IBCsgyHTUEFJh6Pq
yD4uBr3J46UReisRMWKQWRAp6pzkY71X3BiGDA4SzsZwoYt9Kj0docSCO9m/vZui
vUHxdg4vloz+7bz9/jfcidvdxRAuK1Xlli8jJwE+4X6hwe1qOJz/cke/r6CQLF1O
gQD3wpnEamTXhY6ixDLgqPJDKdvmitKmqfxTtK3SsLcAx2MXkGbUz4DgRblp+bzR
lDZ+8IsG2zayjQR5O0UBz9MxDFPmlwrPh5lJRD56EXp3YUYLzGVO6ihwKzEqILuD
bhFuJ/Pf+oJrVRoH5vHN1F76wET7Cbo5bkywv1f9eyBzIAGfj0yoapDDiogBDjD5
TTc08zmuyK5+JsL+XiMeOKzNySNb3ECCR2WRR2et5XueZx7oBFt22NOYMNSu6xrN
Y/tYiA8mwVgUCFLARK8eCP0JTDlWqFT+u+sMSxH0pQqjGlFnq1Wed4KNqrCqDE6O
SLHGoAnJhGfqSkELkV4z
=FYT3
-----END PGP SIGNATURE-----

--ADZbWkCsHQ7r3kzd--