Attachment 208512 Details for Bug 241420 – Fix CVE, close #239131

[patch] Fix CVE, close #239131

0001-textproc-libxslt.patch (text/plain), 2.74 KB, created by Nathan on 2019-10-22 20:13:28 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Nathan

Created: 2019-10-22 20:13:28 UTC

Size: 2.74 KB

patch

obsolete

>From 8996afd6564b88501cef7a39818a1649040f36aa Mon Sep 17 00:00:00 2001
>From: Nathan Owens <ndowens04@gmail.com>
>Date: Tue, 22 Oct 2019 15:03:17 -0500
>Subject: [PATCH] textproc/libxslt:
>
>* Include patch from #239131
>* Add patch from libxslt GIT page; commit #22324737
>    - Fixes: CVE-2019-18197
>---
> textproc/libxslt/Makefile                     |  4 +-
> .../libxslt/files/patch-libxslt_transform.c   | 46 ++++++++++++-------
> 2 files changed, 31 insertions(+), 19 deletions(-)
>
>diff --git a/textproc/libxslt/Makefile b/textproc/libxslt/Makefile
>index 15bfb9e53..405dc06c6 100644
>--- a/textproc/libxslt/Makefile
>+++ b/textproc/libxslt/Makefile
>@@ -3,9 +3,9 @@
> 
> PORTNAME=	libxslt
> PORTVERSION=	1.1.33
>+PORTREVISION=	1
> CATEGORIES?=	textproc gnome
>-MASTER_SITES=	http://xmlsoft.org/sources/ \
>-		https://mirror.umd.edu/xbmc/build-deps/sources/
>+MASTER_SITES=	https://ftp.osuosl.org/pub/blfs/conglomeration/libxslt/
> DIST_SUBDIR=	gnome2
> 
> MAINTAINER?=	gnome@FreeBSD.org
>diff --git a/textproc/libxslt/files/patch-libxslt_transform.c b/textproc/libxslt/files/patch-libxslt_transform.c
>index 744e8dd9b..8d72dfffc 100644
>--- a/textproc/libxslt/files/patch-libxslt_transform.c
>+++ b/textproc/libxslt/files/patch-libxslt_transform.c
>@@ -1,18 +1,30 @@
>---- libxslt/transform.c.orig	2017-10-30 07:49:55 UTC
>+From ee31512213544a869418a06a819e9cb9a7346f65 Mon Sep 17 00:00:00 2001
>+From: Nick Wellnhofer <wellnhofer@aevum.de>
>+Date: Sat, 17 Aug 2019 16:51:53 +0200
>+Subject: [PATCH] Fix dangling pointer in xsltCopyText
>+
>+xsltCopyText didn't reset ctxt->lasttext in some cases which could
>+lead to various memory errors in relation with CDATA sections in input
>+documents.
>+
>+Found by OSS-Fuzz.
>+---
>+ libxslt/transform.c | 2 ++
>+ 1 file changed, 2 insertions(+)
>+
>+diff --git a/libxslt/transform.c b/libxslt/transform.c
>+index ed5afacb..477265c2 100644
>+--- libxslt/transform.c
> +++ libxslt/transform.c
>-@@ -3485,10 +3485,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNode
>-      */
>-     if (ctxt->sec != NULL) {
>- 	ret = xsltCheckWrite(ctxt->sec, ctxt, filename);
>--	if (ret == 0) {
>--	    xsltTransformError(ctxt, NULL, inst,
>--		 "xsltDocumentElem: write rights for %s denied\n",
>--			     filename);
>-+	if (ret <= 0) {
>-+            if (ret == 0)
>-+                xsltTransformError(ctxt, NULL, inst,
>-+                     "xsltDocumentElem: write rights for %s denied\n",
>-+                                 filename);
>- 	    xmlFree(URL);
>- 	    xmlFree(filename);
>- 	    return;
>+@@ -1090,6 +1090,8 @@ xsltCopyText(xsltTransformContextPtr ctxt, xmlNodePtr target,
>+ 	    if ((copy->content = xmlStrdup(cur->content)) == NULL)
>+ 		return NULL;
>+ 	}
>++
>++	ctxt->lasttext = NULL;
>+     } else {
>+         /*
>+ 	 * normal processing. keep counters to extend the text node
>+-- 
>+2.23.0
>+
>-- 
>2.23.0
>

Actions: View | Diff

Attachments on bug 241420: 208512 | 208515 | 208538 | 208586