gnu: libxslt: Fix CVE-2017-5029 and re-apply the fix for CVE-2016-4738.

This is a followup to commit 2663c38826.

* gnu/packages/xml.scm (libxslt)[replacement]: New field.
(libxslt/fixed): New variable.
* gnu/packages/patches/libxslt-CVE-2017-5029.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
This commit is contained in:
Leo Famulari 2017-12-21 02:12:55 -05:00
parent 2a0e3d1635
commit 0c9c9526bb
No known key found for this signature in database
GPG key ID: 2646FA30BACA7F08
3 changed files with 97 additions and 1 deletions

View file

@ -851,6 +851,7 @@ dist_patch_DATA = \
%D%/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch \
%D%/packages/patches/libxslt-generated-ids.patch \
%D%/packages/patches/libxslt-CVE-2016-4738.patch \
%D%/packages/patches/libxslt-CVE-2017-5029.patch \
%D%/packages/patches/libxt-guix-search-paths.patch \
%D%/packages/patches/lierolibre-check-unaligned-access.patch \
%D%/packages/patches/lierolibre-is-free-software.patch \

View file

@ -0,0 +1,82 @@
Fix CVE-2017-5029:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5029
Patch copied from upstream source repository:
https://git.gnome.org/browse/libxslt/commit/?id=08ab2774b870de1c7b5a48693df75e8154addae5
From 08ab2774b870de1c7b5a48693df75e8154addae5 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Thu, 12 Jan 2017 15:39:52 +0100
Subject: [PATCH] Check for integer overflow in xsltAddTextString
Limit buffer size in xsltAddTextString to INT_MAX. The issue can be
exploited to trigger an out of bounds write on 64-bit systems.
Originally reported to Chromium:
https://crbug.com/676623
---
libxslt/transform.c | 25 ++++++++++++++++++++++---
libxslt/xsltInternals.h | 4 ++--
2 files changed, 24 insertions(+), 5 deletions(-)
diff --git a/libxslt/transform.c b/libxslt/transform.c
index 519133fc..02bff34a 100644
--- a/libxslt/transform.c
+++ b/libxslt/transform.c
@@ -813,13 +813,32 @@ xsltAddTextString(xsltTransformContextPtr ctxt, xmlNodePtr target,
return(target);
if (ctxt->lasttext == target->content) {
+ int minSize;
- if (ctxt->lasttuse + len >= ctxt->lasttsize) {
+ /* Check for integer overflow accounting for NUL terminator. */
+ if (len >= INT_MAX - ctxt->lasttuse) {
+ xsltTransformError(ctxt, NULL, target,
+ "xsltCopyText: text allocation failed\n");
+ return(NULL);
+ }
+ minSize = ctxt->lasttuse + len + 1;
+
+ if (ctxt->lasttsize < minSize) {
xmlChar *newbuf;
int size;
+ int extra;
+
+ /* Double buffer size but increase by at least 100 bytes. */
+ extra = minSize < 100 ? 100 : minSize;
+
+ /* Check for integer overflow. */
+ if (extra > INT_MAX - ctxt->lasttsize) {
+ size = INT_MAX;
+ }
+ else {
+ size = ctxt->lasttsize + extra;
+ }
- size = ctxt->lasttsize + len + 100;
- size *= 2;
newbuf = (xmlChar *) xmlRealloc(target->content,size);
if (newbuf == NULL) {
xsltTransformError(ctxt, NULL, target,
diff --git a/libxslt/xsltInternals.h b/libxslt/xsltInternals.h
index 060b1783..5ad17719 100644
--- a/libxslt/xsltInternals.h
+++ b/libxslt/xsltInternals.h
@@ -1754,8 +1754,8 @@ struct _xsltTransformContext {
* Speed optimization when coalescing text nodes
*/
const xmlChar *lasttext; /* last text node content */
- unsigned int lasttsize; /* last text node size */
- unsigned int lasttuse; /* last text node use */
+ int lasttsize; /* last text node size */
+ int lasttuse; /* last text node use */
/*
* Per Context Debugging
*/
--
2.15.1

View file

@ -188,12 +188,16 @@ (define-public python2-libxml2
(define-public libxslt
(package
(name "libxslt")
(replacement libxslt/fixed)
(version "1.1.29")
(source (origin
(method url-fetch)
(uri (string-append "ftp://xmlsoft.org/libxslt/libxslt-"
version ".tar.gz"))
(patches (search-patches "libxslt-CVE-2016-4738.patch"))
;; XXX Oops, the patches field is redefined below, which means the
;; patch for CVE-2016-4738 was not used. Fixed in the definition of
;; libxslt/fixed below.
;(patches (search-patches "libxslt-CVE-2016-4738.patch"))
(sha256
(base32
"1klh81xbm9ppzgqk339097i39b7fnpmlj8lzn8bpczl3aww6x5xm"))
@ -210,6 +214,15 @@ (define-public libxslt
based on libxml for XML parsing, tree manipulation and XPath support.")
(license license:x11)))
(define libxslt/fixed
(package
(inherit libxslt)
(source (origin
(inherit (package-source libxslt))
(patches (search-patches "libxslt-CVE-2016-4738.patch"
"libxslt-CVE-2017-5029.patch"
"libxslt-generated-ids.patch"))))))
(define-public perl-graph-readwrite
(package
(name "perl-graph-readwrite")