[master][jethro][fido][PATCH] libxslt: CVE-2015-7995

Openembedded Core Discussions
 help / color / mirror / Atom feed

* [master][jethro][fido][PATCH] libxslt: CVE-2015-7995
@ 2015-10-29 23:22 Armin Kuster
  2015-11-05 20:29 ` akuster808
  0 siblings, 1 reply; 5+ messages in thread
From: Armin Kuster @ 2015-10-29 23:22 UTC (permalink / raw)
  To: openembedded-core; +Cc: Armin Kuster

From: Armin Kuster <akuster@mvista.com>

This is a is being give a High rating so please consider it for
all 1.1.28 versions.

A type confusion error within the libxslt "xsltStylePreCompute()"
function in preproc.c can lead to a DoS. Confirmed in version 1.1.28,
other versions may also be affected.

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 .../libxslt/libxslt/CVE-2015-7995.patch            | 33 ++++++++++++++++++++++
 meta/recipes-support/libxslt/libxslt_1.1.28.bb     |  3 +-
 2 files changed, 35 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-support/libxslt/libxslt/CVE-2015-7995.patch

diff --git a/meta/recipes-support/libxslt/libxslt/CVE-2015-7995.patch b/meta/recipes-support/libxslt/libxslt/CVE-2015-7995.patch
new file mode 100644
index 0000000..e4d09c2
--- /dev/null
+++ b/meta/recipes-support/libxslt/libxslt/CVE-2015-7995.patch
@@ -0,0 +1,33 @@
+From 7ca19df892ca22d9314e95d59ce2abdeff46b617 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Thu, 29 Oct 2015 19:33:23 +0800
+Subject: Fix for type confusion in preprocessing attributes
+
+CVE-2015-7995 http://www.openwall.com/lists/oss-security/2015/10/27/10
+We need to check that the parent node is an element before dereferencing
+its namespace
+
+Upstream-Status: Backport
+
+https://git.gnome.org/browse/libxslt/commit/?id=7ca19df892ca22d9314e95d59ce2abdeff46b617
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ libxslt/preproc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+Index: libxslt-1.1.28/libxslt/preproc.c
+===================================================================
+--- libxslt-1.1.28.orig/libxslt/preproc.c
++++ libxslt-1.1.28/libxslt/preproc.c
+@@ -2245,7 +2245,8 @@ xsltStylePreCompute(xsltStylesheetPtr st
+ 	} else if (IS_XSLT_NAME(inst, "attribute")) {
+ 	    xmlNodePtr parent = inst->parent;
+ 
+-	    if ((parent == NULL) || (parent->ns == NULL) ||
++	    if ((parent == NULL) ||
++	        (parent->type != XML_ELEMENT_NODE) || (parent->ns == NULL) ||
+ 		((parent->ns != inst->ns) &&
+ 		 (!xmlStrEqual(parent->ns->href, inst->ns->href))) ||
+ 		(!xmlStrEqual(parent->name, BAD_CAST "attribute-set"))) {
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.28.bb b/meta/recipes-support/libxslt/libxslt_1.1.28.bb
index 166bcd8..87fabec 100644
--- a/meta/recipes-support/libxslt/libxslt_1.1.28.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.28.bb
@@ -10,7 +10,8 @@ DEPENDS = "libxml2"
 
 SRC_URI = "ftp://xmlsoft.org/libxslt//libxslt-${PV}.tar.gz \
            file://pkgconfig_fix.patch \
-           file://pkgconfig.patch"
+           file://pkgconfig.patch \
+           file://CVE-2015-7995.patch"
 
 SRC_URI[md5sum] = "9667bf6f9310b957254fdcf6596600b7"
 SRC_URI[sha256sum] = "5fc7151a57b89c03d7b825df5a0fae0a8d5f05674c0e7cf2937ecec4d54a028c"
-- 
2.3.5



^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [master][jethro][fido][PATCH] libxslt: CVE-2015-7995
  2015-10-29 23:22 [master][jethro][fido][PATCH] libxslt: CVE-2015-7995 Armin Kuster
@ 2015-11-05 20:29 ` akuster808
  2015-11-05 20:31   ` Burton, Ross
  2015-11-05 22:01   ` Joshua Lock
  0 siblings, 2 replies; 5+ messages in thread
From: akuster808 @ 2015-11-05 20:29 UTC (permalink / raw)
  To: openembedded-core; +Cc: Armin Kuster

Ping.

- armin

On 10/29/2015 04:22 PM, Armin Kuster wrote:
> From: Armin Kuster <akuster@mvista.com>
> 
> This is a is being give a High rating so please consider it for
> all 1.1.28 versions.
> 
> A type confusion error within the libxslt "xsltStylePreCompute()"
> function in preproc.c can lead to a DoS. Confirmed in version 1.1.28,
> other versions may also be affected.
> 
> Signed-off-by: Armin Kuster <akuster@mvista.com>
> ---
>  .../libxslt/libxslt/CVE-2015-7995.patch            | 33 ++++++++++++++++++++++
>  meta/recipes-support/libxslt/libxslt_1.1.28.bb     |  3 +-
>  2 files changed, 35 insertions(+), 1 deletion(-)
>  create mode 100644 meta/recipes-support/libxslt/libxslt/CVE-2015-7995.patch
> 
> diff --git a/meta/recipes-support/libxslt/libxslt/CVE-2015-7995.patch b/meta/recipes-support/libxslt/libxslt/CVE-2015-7995.patch
> new file mode 100644
> index 0000000..e4d09c2
> --- /dev/null
> +++ b/meta/recipes-support/libxslt/libxslt/CVE-2015-7995.patch
> @@ -0,0 +1,33 @@
> +From 7ca19df892ca22d9314e95d59ce2abdeff46b617 Mon Sep 17 00:00:00 2001
> +From: Daniel Veillard <veillard@redhat.com>
> +Date: Thu, 29 Oct 2015 19:33:23 +0800
> +Subject: Fix for type confusion in preprocessing attributes
> +
> +CVE-2015-7995 http://www.openwall.com/lists/oss-security/2015/10/27/10
> +We need to check that the parent node is an element before dereferencing
> +its namespace
> +
> +Upstream-Status: Backport
> +
> +https://git.gnome.org/browse/libxslt/commit/?id=7ca19df892ca22d9314e95d59ce2abdeff46b617
> +
> +Signed-off-by: Armin Kuster <akuster@mvista.com>
> +
> +---
> + libxslt/preproc.c | 3 ++-
> + 1 file changed, 2 insertions(+), 1 deletion(-)
> +
> +Index: libxslt-1.1.28/libxslt/preproc.c
> +===================================================================
> +--- libxslt-1.1.28.orig/libxslt/preproc.c
> ++++ libxslt-1.1.28/libxslt/preproc.c
> +@@ -2245,7 +2245,8 @@ xsltStylePreCompute(xsltStylesheetPtr st
> + 	} else if (IS_XSLT_NAME(inst, "attribute")) {
> + 	    xmlNodePtr parent = inst->parent;
> + 
> +-	    if ((parent == NULL) || (parent->ns == NULL) ||
> ++	    if ((parent == NULL) ||
> ++	        (parent->type != XML_ELEMENT_NODE) || (parent->ns == NULL) ||
> + 		((parent->ns != inst->ns) &&
> + 		 (!xmlStrEqual(parent->ns->href, inst->ns->href))) ||
> + 		(!xmlStrEqual(parent->name, BAD_CAST "attribute-set"))) {
> diff --git a/meta/recipes-support/libxslt/libxslt_1.1.28.bb b/meta/recipes-support/libxslt/libxslt_1.1.28.bb
> index 166bcd8..87fabec 100644
> --- a/meta/recipes-support/libxslt/libxslt_1.1.28.bb
> +++ b/meta/recipes-support/libxslt/libxslt_1.1.28.bb
> @@ -10,7 +10,8 @@ DEPENDS = "libxml2"
>  
>  SRC_URI = "ftp://xmlsoft.org/libxslt//libxslt-${PV}.tar.gz \
>             file://pkgconfig_fix.patch \
> -           file://pkgconfig.patch"
> +           file://pkgconfig.patch \
> +           file://CVE-2015-7995.patch"
>  
>  SRC_URI[md5sum] = "9667bf6f9310b957254fdcf6596600b7"
>  SRC_URI[sha256sum] = "5fc7151a57b89c03d7b825df5a0fae0a8d5f05674c0e7cf2937ecec4d54a028c"
> 


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [master][jethro][fido][PATCH] libxslt: CVE-2015-7995
  2015-11-05 20:29 ` akuster808
@ 2015-11-05 20:31   ` Burton, Ross
  2015-11-05 22:01   ` Joshua Lock
  1 sibling, 0 replies; 5+ messages in thread
From: Burton, Ross @ 2015-11-05 20:31 UTC (permalink / raw)
  To: akuster808; +Cc: Armin Kuster, OE-core

[-- Attachment #1: Type: text/plain, Size: 140 bytes --]

On 5 November 2015 at 20:29, akuster808 <akuster808@gmail.com> wrote:

> Ping.
>

Queued in mut, will be hitting the AB soon.

Ross

[-- Attachment #2: Type: text/html, Size: 618 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [master][jethro][fido][PATCH] libxslt: CVE-2015-7995
  2015-11-05 20:29 ` akuster808
  2015-11-05 20:31   ` Burton, Ross
@ 2015-11-05 22:01   ` Joshua Lock
  2015-11-06  1:16     ` akuster808
  1 sibling, 1 reply; 5+ messages in thread
From: Joshua Lock @ 2015-11-05 22:01 UTC (permalink / raw)
  To: openembedded-core

On 05/11/15 20:29, akuster808 wrote:
> Ping.
>
> - armin

Hi Armin,

I've pushed this change to my joshuagl/fido-next branch of 
openembedded-core-contrib and am testing it now.

Thanks,

Joshua

1. 
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=joshuagl/fido-next

>
> On 10/29/2015 04:22 PM, Armin Kuster wrote:
>> From: Armin Kuster <akuster@mvista.com>
>>
>> This is a is being give a High rating so please consider it for
>> all 1.1.28 versions.
>>
>> A type confusion error within the libxslt "xsltStylePreCompute()"
>> function in preproc.c can lead to a DoS. Confirmed in version 1.1.28,
>> other versions may also be affected.
>>
>> Signed-off-by: Armin Kuster <akuster@mvista.com>
>> ---
>>   .../libxslt/libxslt/CVE-2015-7995.patch            | 33 ++++++++++++++++++++++
>>   meta/recipes-support/libxslt/libxslt_1.1.28.bb     |  3 +-
>>   2 files changed, 35 insertions(+), 1 deletion(-)
>>   create mode 100644 meta/recipes-support/libxslt/libxslt/CVE-2015-7995.patch
>>
>> diff --git a/meta/recipes-support/libxslt/libxslt/CVE-2015-7995.patch b/meta/recipes-support/libxslt/libxslt/CVE-2015-7995.patch
>> new file mode 100644
>> index 0000000..e4d09c2
>> --- /dev/null
>> +++ b/meta/recipes-support/libxslt/libxslt/CVE-2015-7995.patch
>> @@ -0,0 +1,33 @@
>> +From 7ca19df892ca22d9314e95d59ce2abdeff46b617 Mon Sep 17 00:00:00 2001
>> +From: Daniel Veillard <veillard@redhat.com>
>> +Date: Thu, 29 Oct 2015 19:33:23 +0800
>> +Subject: Fix for type confusion in preprocessing attributes
>> +
>> +CVE-2015-7995 http://www.openwall.com/lists/oss-security/2015/10/27/10
>> +We need to check that the parent node is an element before dereferencing
>> +its namespace
>> +
>> +Upstream-Status: Backport
>> +
>> +https://git.gnome.org/browse/libxslt/commit/?id=7ca19df892ca22d9314e95d59ce2abdeff46b617
>> +
>> +Signed-off-by: Armin Kuster <akuster@mvista.com>
>> +
>> +---
>> + libxslt/preproc.c | 3 ++-
>> + 1 file changed, 2 insertions(+), 1 deletion(-)
>> +
>> +Index: libxslt-1.1.28/libxslt/preproc.c
>> +===================================================================
>> +--- libxslt-1.1.28.orig/libxslt/preproc.c
>> ++++ libxslt-1.1.28/libxslt/preproc.c
>> +@@ -2245,7 +2245,8 @@ xsltStylePreCompute(xsltStylesheetPtr st
>> + 	} else if (IS_XSLT_NAME(inst, "attribute")) {
>> + 	    xmlNodePtr parent = inst->parent;
>> +
>> +-	    if ((parent == NULL) || (parent->ns == NULL) ||
>> ++	    if ((parent == NULL) ||
>> ++	        (parent->type != XML_ELEMENT_NODE) || (parent->ns == NULL) ||
>> + 		((parent->ns != inst->ns) &&
>> + 		 (!xmlStrEqual(parent->ns->href, inst->ns->href))) ||
>> + 		(!xmlStrEqual(parent->name, BAD_CAST "attribute-set"))) {
>> diff --git a/meta/recipes-support/libxslt/libxslt_1.1.28.bb b/meta/recipes-support/libxslt/libxslt_1.1.28.bb
>> index 166bcd8..87fabec 100644
>> --- a/meta/recipes-support/libxslt/libxslt_1.1.28.bb
>> +++ b/meta/recipes-support/libxslt/libxslt_1.1.28.bb
>> @@ -10,7 +10,8 @@ DEPENDS = "libxml2"
>>
>>   SRC_URI = "ftp://xmlsoft.org/libxslt//libxslt-${PV}.tar.gz \
>>              file://pkgconfig_fix.patch \
>> -           file://pkgconfig.patch"
>> +           file://pkgconfig.patch \
>> +           file://CVE-2015-7995.patch"
>>
>>   SRC_URI[md5sum] = "9667bf6f9310b957254fdcf6596600b7"
>>   SRC_URI[sha256sum] = "5fc7151a57b89c03d7b825df5a0fae0a8d5f05674c0e7cf2937ecec4d54a028c"
>>



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [master][jethro][fido][PATCH] libxslt: CVE-2015-7995
  2015-11-05 22:01   ` Joshua Lock
@ 2015-11-06  1:16     ` akuster808
  0 siblings, 0 replies; 5+ messages in thread
From: akuster808 @ 2015-11-06  1:16 UTC (permalink / raw)
  To: openembedded-core



On 11/05/2015 02:01 PM, Joshua Lock wrote:
> On 05/11/15 20:29, akuster808 wrote:
>> Ping.
>>
>> - armin
> 
> Hi Armin,
> 
> I've pushed this change to my joshuagl/fido-next branch of
> openembedded-core-contrib and am testing it now.

thanks.

- armin
> 
> Thanks,
> 
> Joshua
> 
> 1.
> http://cgit.openembedded.org/openembedded-core-contrib/log/?h=joshuagl/fido-next
> 
> 
>>
>> On 10/29/2015 04:22 PM, Armin Kuster wrote:
>>> From: Armin Kuster <akuster@mvista.com>
>>>
>>> This is a is being give a High rating so please consider it for
>>> all 1.1.28 versions.
>>>
>>> A type confusion error within the libxslt "xsltStylePreCompute()"
>>> function in preproc.c can lead to a DoS. Confirmed in version 1.1.28,
>>> other versions may also be affected.
>>>
>>> Signed-off-by: Armin Kuster <akuster@mvista.com>
>>> ---
>>>   .../libxslt/libxslt/CVE-2015-7995.patch            | 33
>>> ++++++++++++++++++++++
>>>   meta/recipes-support/libxslt/libxslt_1.1.28.bb     |  3 +-
>>>   2 files changed, 35 insertions(+), 1 deletion(-)
>>>   create mode 100644
>>> meta/recipes-support/libxslt/libxslt/CVE-2015-7995.patch
>>>
>>> diff --git a/meta/recipes-support/libxslt/libxslt/CVE-2015-7995.patch
>>> b/meta/recipes-support/libxslt/libxslt/CVE-2015-7995.patch
>>> new file mode 100644
>>> index 0000000..e4d09c2
>>> --- /dev/null
>>> +++ b/meta/recipes-support/libxslt/libxslt/CVE-2015-7995.patch
>>> @@ -0,0 +1,33 @@
>>> +From 7ca19df892ca22d9314e95d59ce2abdeff46b617 Mon Sep 17 00:00:00 2001
>>> +From: Daniel Veillard <veillard@redhat.com>
>>> +Date: Thu, 29 Oct 2015 19:33:23 +0800
>>> +Subject: Fix for type confusion in preprocessing attributes
>>> +
>>> +CVE-2015-7995 http://www.openwall.com/lists/oss-security/2015/10/27/10
>>> +We need to check that the parent node is an element before
>>> dereferencing
>>> +its namespace
>>> +
>>> +Upstream-Status: Backport
>>> +
>>> +https://git.gnome.org/browse/libxslt/commit/?id=7ca19df892ca22d9314e95d59ce2abdeff46b617
>>>
>>> +
>>> +Signed-off-by: Armin Kuster <akuster@mvista.com>
>>> +
>>> +---
>>> + libxslt/preproc.c | 3 ++-
>>> + 1 file changed, 2 insertions(+), 1 deletion(-)
>>> +
>>> +Index: libxslt-1.1.28/libxslt/preproc.c
>>> +===================================================================
>>> +--- libxslt-1.1.28.orig/libxslt/preproc.c
>>> ++++ libxslt-1.1.28/libxslt/preproc.c
>>> +@@ -2245,7 +2245,8 @@ xsltStylePreCompute(xsltStylesheetPtr st
>>> +     } else if (IS_XSLT_NAME(inst, "attribute")) {
>>> +         xmlNodePtr parent = inst->parent;
>>> +
>>> +-        if ((parent == NULL) || (parent->ns == NULL) ||
>>> ++        if ((parent == NULL) ||
>>> ++            (parent->type != XML_ELEMENT_NODE) || (parent->ns ==
>>> NULL) ||
>>> +         ((parent->ns != inst->ns) &&
>>> +          (!xmlStrEqual(parent->ns->href, inst->ns->href))) ||
>>> +         (!xmlStrEqual(parent->name, BAD_CAST "attribute-set"))) {
>>> diff --git a/meta/recipes-support/libxslt/libxslt_1.1.28.bb
>>> b/meta/recipes-support/libxslt/libxslt_1.1.28.bb
>>> index 166bcd8..87fabec 100644
>>> --- a/meta/recipes-support/libxslt/libxslt_1.1.28.bb
>>> +++ b/meta/recipes-support/libxslt/libxslt_1.1.28.bb
>>> @@ -10,7 +10,8 @@ DEPENDS = "libxml2"
>>>
>>>   SRC_URI = "ftp://xmlsoft.org/libxslt//libxslt-${PV}.tar.gz \
>>>              file://pkgconfig_fix.patch \
>>> -           file://pkgconfig.patch"
>>> +           file://pkgconfig.patch \
>>> +           file://CVE-2015-7995.patch"
>>>
>>>   SRC_URI[md5sum] = "9667bf6f9310b957254fdcf6596600b7"
>>>   SRC_URI[sha256sum] =
>>> "5fc7151a57b89c03d7b825df5a0fae0a8d5f05674c0e7cf2937ecec4d54a028c"
>>>
> 


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2015-11-06  1:16 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-10-29 23:22 [master][jethro][fido][PATCH] libxslt: CVE-2015-7995 Armin Kuster
2015-11-05 20:29 ` akuster808
2015-11-05 20:31   ` Burton, Ross
2015-11-05 22:01   ` Joshua Lock
2015-11-06  1:16     ` akuster808

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox