[PATCH] libxslt: Fix CVE-2019-11068

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] libxslt: Fix CVE-2019-11068
@ 2019-06-19 17:54 Adrian Bunk
  2019-06-19 18:32 ` akuster808
  0 siblings, 1 reply; 3+ messages in thread
From: Adrian Bunk @ 2019-06-19 17:54 UTC (permalink / raw)
  To: openembedded-core

Signed-off-by: Adrian Bunk <bunk@stusta.de>
---
 .../0001-Fix-security-framework-bypass.patch  | 124 ++++++++++++++++++
 .../recipes-support/libxslt/libxslt_1.1.33.bb |   4 +-
 2 files changed, 127 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-support/libxslt/files/0001-Fix-security-framework-bypass.patch

diff --git a/meta/recipes-support/libxslt/files/0001-Fix-security-framework-bypass.patch b/meta/recipes-support/libxslt/files/0001-Fix-security-framework-bypass.patch
new file mode 100644
index 0000000000..89b647ddbf
--- /dev/null
+++ b/meta/recipes-support/libxslt/files/0001-Fix-security-framework-bypass.patch
@@ -0,0 +1,124 @@
+From e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sun, 24 Mar 2019 09:51:39 +0100
+Subject: Fix security framework bypass
+
+xsltCheckRead and xsltCheckWrite return -1 in case of error but callers
+don't check for this condition and allow access. With a specially
+crafted URL, xsltCheckRead could be tricked into returning an error
+because of a supposedly invalid URL that would still be loaded
+succesfully later on.
+
+Fixes #12.
+
+Thanks to Felix Wilhelm for the report.
+
+Signed-off-by: Adrian Bunk <bunk@stusta.de>
+Upstream-Status: Backport
+CVE: CVE-2019-11068
+---
+ libxslt/documents.c | 18 ++++++++++--------
+ libxslt/imports.c   |  9 +++++----
+ libxslt/transform.c |  9 +++++----
+ libxslt/xslt.c      |  9 +++++----
+ 4 files changed, 25 insertions(+), 20 deletions(-)
+
+diff --git a/libxslt/documents.c b/libxslt/documents.c
+index 3f3a7312..4aad11bb 100644
+--- a/libxslt/documents.c
++++ b/libxslt/documents.c
+@@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) {
+ 	int res;
+ 
+ 	res = xsltCheckRead(ctxt->sec, ctxt, URI);
+-	if (res == 0) {
+-	    xsltTransformError(ctxt, NULL, NULL,
+-		 "xsltLoadDocument: read rights for %s denied\n",
+-			     URI);
++	if (res <= 0) {
++            if (res == 0)
++                xsltTransformError(ctxt, NULL, NULL,
++                     "xsltLoadDocument: read rights for %s denied\n",
++                                 URI);
+ 	    return(NULL);
+ 	}
+     }
+@@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) {
+ 	int res;
+ 
+ 	res = xsltCheckRead(sec, NULL, URI);
+-	if (res == 0) {
+-	    xsltTransformError(NULL, NULL, NULL,
+-		 "xsltLoadStyleDocument: read rights for %s denied\n",
+-			     URI);
++	if (res <= 0) {
++            if (res == 0)
++                xsltTransformError(NULL, NULL, NULL,
++                     "xsltLoadStyleDocument: read rights for %s denied\n",
++                                 URI);
+ 	    return(NULL);
+ 	}
+     }
+diff --git a/libxslt/imports.c b/libxslt/imports.c
+index 874870cc..3783b247 100644
+--- a/libxslt/imports.c
++++ b/libxslt/imports.c
+@@ -130,10 +130,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) {
+ 	int secres;
+ 
+ 	secres = xsltCheckRead(sec, NULL, URI);
+-	if (secres == 0) {
+-	    xsltTransformError(NULL, NULL, NULL,
+-		 "xsl:import: read rights for %s denied\n",
+-			     URI);
++	if (secres <= 0) {
++            if (secres == 0)
++                xsltTransformError(NULL, NULL, NULL,
++                     "xsl:import: read rights for %s denied\n",
++                                 URI);
+ 	    goto error;
+ 	}
+     }
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index 13793914..0636dbd0 100644
+--- a/libxslt/transform.c
++++ b/libxslt/transform.c
+@@ -3493,10 +3493,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node,
+      */
+     if (ctxt->sec != NULL) {
+ 	ret = xsltCheckWrite(ctxt->sec, ctxt, filename);
+-	if (ret == 0) {
+-	    xsltTransformError(ctxt, NULL, inst,
+-		 "xsltDocumentElem: write rights for %s denied\n",
+-			     filename);
++	if (ret <= 0) {
++            if (ret == 0)
++                xsltTransformError(ctxt, NULL, inst,
++                     "xsltDocumentElem: write rights for %s denied\n",
++                                 filename);
+ 	    xmlFree(URL);
+ 	    xmlFree(filename);
+ 	    return;
+diff --git a/libxslt/xslt.c b/libxslt/xslt.c
+index 780a5ad7..a234eb79 100644
+--- a/libxslt/xslt.c
++++ b/libxslt/xslt.c
+@@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) {
+ 	int res;
+ 
+ 	res = xsltCheckRead(sec, NULL, filename);
+-	if (res == 0) {
+-	    xsltTransformError(NULL, NULL, NULL,
+-		 "xsltParseStylesheetFile: read rights for %s denied\n",
+-			     filename);
++	if (res <= 0) {
++            if (res == 0)
++                xsltTransformError(NULL, NULL, NULL,
++                     "xsltParseStylesheetFile: read rights for %s denied\n",
++                                 filename);
+ 	    return(NULL);
+ 	}
+     }
+-- 
+2.20.1
+
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.33.bb b/meta/recipes-support/libxslt/libxslt_1.1.33.bb
index 462eccf52f..6320a821dc 100644
--- a/meta/recipes-support/libxslt/libxslt_1.1.33.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.33.bb
@@ -8,7 +8,9 @@ LIC_FILES_CHKSUM = "file://Copyright;md5=0cd9a07afbeb24026c9b03aecfeba458"
 SECTION = "libs"
 DEPENDS = "libxml2"
 
-SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz"
+SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz \
+           file://0001-Fix-security-framework-bypass.patch \
+"
 
 SRC_URI[md5sum] = "b3bd254a03e46d58f8ad1e4559cd2c2f"
 SRC_URI[sha256sum] = "8e36605144409df979cab43d835002f63988f3dc94d5d3537c12796db90e38c8"
-- 
2.17.1



^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] libxslt: Fix CVE-2019-11068
  2019-06-19 17:54 [PATCH] libxslt: Fix CVE-2019-11068 Adrian Bunk
@ 2019-06-19 18:32 ` akuster808
  2019-06-19 18:51   ` Adrian Bunk
  0 siblings, 1 reply; 3+ messages in thread
From: akuster808 @ 2019-06-19 18:32 UTC (permalink / raw)
  To: Adrian Bunk, openembedded-core



On 6/19/19 10:54 AM, Adrian Bunk wrote:
> Signed-off-by: Adrian Bunk <bunk@stusta.de>
> ---
>  .../0001-Fix-security-framework-bypass.patch  | 124 ++++++++++++++++++
>  .../recipes-support/libxslt/libxslt_1.1.33.bb |   4 +-
>  2 files changed, 127 insertions(+), 1 deletion(-)
>  create mode 100644 meta/recipes-support/libxslt/files/0001-Fix-security-framework-bypass.patch

Thanks for the CVE fix. Is master affected?

- armin
>
> diff --git a/meta/recipes-support/libxslt/files/0001-Fix-security-framework-bypass.patch b/meta/recipes-support/libxslt/files/0001-Fix-security-framework-bypass.patch
> new file mode 100644
> index 0000000000..89b647ddbf
> --- /dev/null
> +++ b/meta/recipes-support/libxslt/files/0001-Fix-security-framework-bypass.patch
> @@ -0,0 +1,124 @@
> +From e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 Mon Sep 17 00:00:00 2001
> +From: Nick Wellnhofer <wellnhofer@aevum.de>
> +Date: Sun, 24 Mar 2019 09:51:39 +0100
> +Subject: Fix security framework bypass
> +
> +xsltCheckRead and xsltCheckWrite return -1 in case of error but callers
> +don't check for this condition and allow access. With a specially
> +crafted URL, xsltCheckRead could be tricked into returning an error
> +because of a supposedly invalid URL that would still be loaded
> +succesfully later on.
> +
> +Fixes #12.
> +
> +Thanks to Felix Wilhelm for the report.
> +
> +Signed-off-by: Adrian Bunk <bunk@stusta.de>
> +Upstream-Status: Backport
> +CVE: CVE-2019-11068
> +---
> + libxslt/documents.c | 18 ++++++++++--------
> + libxslt/imports.c   |  9 +++++----
> + libxslt/transform.c |  9 +++++----
> + libxslt/xslt.c      |  9 +++++----
> + 4 files changed, 25 insertions(+), 20 deletions(-)
> +
> +diff --git a/libxslt/documents.c b/libxslt/documents.c
> +index 3f3a7312..4aad11bb 100644
> +--- a/libxslt/documents.c
> ++++ b/libxslt/documents.c
> +@@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) {
> + 	int res;
> + 
> + 	res = xsltCheckRead(ctxt->sec, ctxt, URI);
> +-	if (res == 0) {
> +-	    xsltTransformError(ctxt, NULL, NULL,
> +-		 "xsltLoadDocument: read rights for %s denied\n",
> +-			     URI);
> ++	if (res <= 0) {
> ++            if (res == 0)
> ++                xsltTransformError(ctxt, NULL, NULL,
> ++                     "xsltLoadDocument: read rights for %s denied\n",
> ++                                 URI);
> + 	    return(NULL);
> + 	}
> +     }
> +@@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) {
> + 	int res;
> + 
> + 	res = xsltCheckRead(sec, NULL, URI);
> +-	if (res == 0) {
> +-	    xsltTransformError(NULL, NULL, NULL,
> +-		 "xsltLoadStyleDocument: read rights for %s denied\n",
> +-			     URI);
> ++	if (res <= 0) {
> ++            if (res == 0)
> ++                xsltTransformError(NULL, NULL, NULL,
> ++                     "xsltLoadStyleDocument: read rights for %s denied\n",
> ++                                 URI);
> + 	    return(NULL);
> + 	}
> +     }
> +diff --git a/libxslt/imports.c b/libxslt/imports.c
> +index 874870cc..3783b247 100644
> +--- a/libxslt/imports.c
> ++++ b/libxslt/imports.c
> +@@ -130,10 +130,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) {
> + 	int secres;
> + 
> + 	secres = xsltCheckRead(sec, NULL, URI);
> +-	if (secres == 0) {
> +-	    xsltTransformError(NULL, NULL, NULL,
> +-		 "xsl:import: read rights for %s denied\n",
> +-			     URI);
> ++	if (secres <= 0) {
> ++            if (secres == 0)
> ++                xsltTransformError(NULL, NULL, NULL,
> ++                     "xsl:import: read rights for %s denied\n",
> ++                                 URI);
> + 	    goto error;
> + 	}
> +     }
> +diff --git a/libxslt/transform.c b/libxslt/transform.c
> +index 13793914..0636dbd0 100644
> +--- a/libxslt/transform.c
> ++++ b/libxslt/transform.c
> +@@ -3493,10 +3493,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node,
> +      */
> +     if (ctxt->sec != NULL) {
> + 	ret = xsltCheckWrite(ctxt->sec, ctxt, filename);
> +-	if (ret == 0) {
> +-	    xsltTransformError(ctxt, NULL, inst,
> +-		 "xsltDocumentElem: write rights for %s denied\n",
> +-			     filename);
> ++	if (ret <= 0) {
> ++            if (ret == 0)
> ++                xsltTransformError(ctxt, NULL, inst,
> ++                     "xsltDocumentElem: write rights for %s denied\n",
> ++                                 filename);
> + 	    xmlFree(URL);
> + 	    xmlFree(filename);
> + 	    return;
> +diff --git a/libxslt/xslt.c b/libxslt/xslt.c
> +index 780a5ad7..a234eb79 100644
> +--- a/libxslt/xslt.c
> ++++ b/libxslt/xslt.c
> +@@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) {
> + 	int res;
> + 
> + 	res = xsltCheckRead(sec, NULL, filename);
> +-	if (res == 0) {
> +-	    xsltTransformError(NULL, NULL, NULL,
> +-		 "xsltParseStylesheetFile: read rights for %s denied\n",
> +-			     filename);
> ++	if (res <= 0) {
> ++            if (res == 0)
> ++                xsltTransformError(NULL, NULL, NULL,
> ++                     "xsltParseStylesheetFile: read rights for %s denied\n",
> ++                                 filename);
> + 	    return(NULL);
> + 	}
> +     }
> +-- 
> +2.20.1
> +
> diff --git a/meta/recipes-support/libxslt/libxslt_1.1.33.bb b/meta/recipes-support/libxslt/libxslt_1.1.33.bb
> index 462eccf52f..6320a821dc 100644
> --- a/meta/recipes-support/libxslt/libxslt_1.1.33.bb
> +++ b/meta/recipes-support/libxslt/libxslt_1.1.33.bb
> @@ -8,7 +8,9 @@ LIC_FILES_CHKSUM = "file://Copyright;md5=0cd9a07afbeb24026c9b03aecfeba458"
>  SECTION = "libs"
>  DEPENDS = "libxml2"
>  
> -SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz"
> +SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz \
> +           file://0001-Fix-security-framework-bypass.patch \
> +"
>  
>  SRC_URI[md5sum] = "b3bd254a03e46d58f8ad1e4559cd2c2f"
>  SRC_URI[sha256sum] = "8e36605144409df979cab43d835002f63988f3dc94d5d3537c12796db90e38c8"



^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] libxslt: Fix CVE-2019-11068
  2019-06-19 18:32 ` akuster808
@ 2019-06-19 18:51   ` Adrian Bunk
  0 siblings, 0 replies; 3+ messages in thread
From: Adrian Bunk @ 2019-06-19 18:51 UTC (permalink / raw)
  To: akuster808; +Cc: openembedded-core

On Wed, Jun 19, 2019 at 11:32:00AM -0700, akuster808 wrote:
> 
> 
> On 6/19/19 10:54 AM, Adrian Bunk wrote:
> > Signed-off-by: Adrian Bunk <bunk@stusta.de>
> > ---
> >  .../0001-Fix-security-framework-bypass.patch  | 124 ++++++++++++++++++
> >  .../recipes-support/libxslt/libxslt_1.1.33.bb |   4 +-
> >  2 files changed, 127 insertions(+), 1 deletion(-)
> >  create mode 100644 meta/recipes-support/libxslt/files/0001-Fix-security-framework-bypass.patch
> 
> Thanks for the CVE fix. Is master affected?

This was sent for master.

> - armin

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed



^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2019-06-19 18:51 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-06-19 17:54 [PATCH] libxslt: Fix CVE-2019-11068 Adrian Bunk
2019-06-19 18:32 ` akuster808
2019-06-19 18:51   ` Adrian Bunk

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.