[gnome-continuous-yocto/gnomeostree-3.28-rocko: 6029/8267] libxslt: Fix CVE-2017-5029

From: Emmanuele Bassi <ebassi src gnome org>
To: commits-list gnome org
Cc:
Subject: [gnome-continuous-yocto/gnomeostree-3.28-rocko: 6029/8267] libxslt: Fix CVE-2017-5029
Date: Sun, 17 Dec 2017 04:16:10 +0000 (UTC)
commit 4e5fd279b867b045456033fd390877a8b3c9fb0f
Author: Fan Xin <fan xin jp fujitsu com>
Date:   Fri May 26 11:39:06 2017 +0900

    libxslt: Fix CVE-2017-5029
    
    Backport upstream patch to fix CVE-2017-5029.
    
    (From OE-Core rev: 5266e74c990df1cf965d162d9695eb5a698883ae)
    
    Signed-off-by: Fan Xin <fan xin jp fujitsu com>
    Signed-off-by: Richard Purdie <richard purdie linuxfoundation org>

 ...for-integer-overflow-in-xsltAddTextString.patch |   80 ++++++++++++++++++++
 meta/recipes-support/libxslt/libxslt_1.1.29.bb     |    1 +
 2 files changed, 81 insertions(+), 0 deletions(-)
---
diff --git a/meta/recipes-support/libxslt/libxslt/0001-Check-for-integer-overflow-in-xsltAddTextString.patch 
b/meta/recipes-support/libxslt/libxslt/0001-Check-for-integer-overflow-in-xsltAddTextString.patch
new file mode 100644
index 0000000..57aaacc
--- /dev/null
+++ b/meta/recipes-support/libxslt/libxslt/0001-Check-for-integer-overflow-in-xsltAddTextString.patch
@@ -0,0 +1,80 @@
+From 08ab2774b870de1c7b5a48693df75e8154addae5 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer aevum de>
+Date: Thu, 12 Jan 2017 15:39:52 +0100
+Subject: [PATCH] Check for integer overflow in xsltAddTextString
+
+Limit buffer size in xsltAddTextString to INT_MAX. The issue can be
+exploited to trigger an out of bounds write on 64-bit systems.
+
+Originally reported to Chromium:
+
+https://crbug.com/676623
+
+CVE: CVE-2017-5029
+Upstream-Status: Backport
+
+Signed-off-by: Fan Xin <fan xin jp fujitus com>
+
+---
+ libxslt/transform.c     | 25 ++++++++++++++++++++++---
+ libxslt/xsltInternals.h |  4 ++--
+ 2 files changed, 24 insertions(+), 5 deletions(-)
+
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index 519133f..02bff34 100644
+--- a/libxslt/transform.c
++++ b/libxslt/transform.c
+@@ -813,13 +813,32 @@ xsltAddTextString(xsltTransformContextPtr ctxt, xmlNodePtr target,
+         return(target);
+ 
+     if (ctxt->lasttext == target->content) {
++        int minSize;
+ 
+-      if (ctxt->lasttuse + len >= ctxt->lasttsize) {
++        /* Check for integer overflow accounting for NUL terminator. */
++        if (len >= INT_MAX - ctxt->lasttuse) {
++            xsltTransformError(ctxt, NULL, target,
++                "xsltCopyText: text allocation failed\n");
++            return(NULL);
++        }
++        minSize = ctxt->lasttuse + len + 1;
++
++        if (ctxt->lasttsize < minSize) {
+           xmlChar *newbuf;
+           int size;
++            int extra;
++
++            /* Double buffer size but increase by at least 100 bytes. */
++            extra = minSize < 100 ? 100 : minSize;
++
++            /* Check for integer overflow. */
++            if (extra > INT_MAX - ctxt->lasttsize) {
++                size = INT_MAX;
++            }
++            else {
++                size = ctxt->lasttsize + extra;
++            }
+ 
+-          size = ctxt->lasttsize + len + 100;
+-          size *= 2;
+           newbuf = (xmlChar *) xmlRealloc(target->content,size);
+           if (newbuf == NULL) {
+               xsltTransformError(ctxt, NULL, target,
+diff --git a/libxslt/xsltInternals.h b/libxslt/xsltInternals.h
+index 060b178..5ad1771 100644
+--- a/libxslt/xsltInternals.h
++++ b/libxslt/xsltInternals.h
+@@ -1754,8 +1754,8 @@ struct _xsltTransformContext {
+      * Speed optimization when coalescing text nodes
+      */
+     const xmlChar  *lasttext;         /* last text node content */
+-    unsigned int    lasttsize;                /* last text node size */
+-    unsigned int    lasttuse;         /* last text node use */
++    int             lasttsize;                /* last text node size */
++    int             lasttuse;         /* last text node use */
+     /*
+      * Per Context Debugging
+      */
+-- 
+1.9.1
+
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.29.bb b/meta/recipes-support/libxslt/libxslt_1.1.29.bb
index 2946a74..d27c706 100644
--- a/meta/recipes-support/libxslt/libxslt_1.1.29.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.29.bb
@@ -12,6 +12,7 @@ SRC_URI = "ftp://xmlsoft.org/libxslt/libxslt-${PV}.tar.gz \
            file://pkgconfig_fix.patch \
            file://0001-Use-pkg-config-to-find-gcrypt-and-libxml2.patch \
            file://0001-Link-libraries-with-libm.patch \
+           file://0001-Check-for-integer-overflow-in-xsltAddTextString.patch \
            "
 
 SRC_URI[md5sum] = "a129d3c44c022de3b9dcf6d6f288d72e"
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]