nixo
/
guix-devel
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

gnu: libxslt: Fix CVE-2016-4738. 

* gnu/packages/patches/libxslt-CVE-2016-4738.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/xml.scm (libxslt)[replacement]: New field.
(libxslt/fixed): New variable.
This commit is contained in:
Leo Famulari 2016-11-08 17:12:01 -05:00
parent d887f420d2
commit 0b34b58688
No known key found for this signature in database
GPG Key ID: 2646FA30BACA7F08
3 changed files with 49 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
gnu/local.mk
View File

@ -692,6 +692,7 @@ dist_patch_DATA = \
%D%/packages/patches/libxv-CVE-2016-5407.patch \ %D%/packages/patches/libxv-CVE-2016-5407.patch \
%D%/packages/patches/libxvmc-CVE-2016-7953.patch \ %D%/packages/patches/libxvmc-CVE-2016-7953.patch \
%D%/packages/patches/libxslt-generated-ids.patch \ %D%/packages/patches/libxslt-generated-ids.patch \
%D%/packages/patches/libxslt-CVE-2016-4738.patch \
%D%/packages/patches/lirc-localstatedir.patch \ %D%/packages/patches/lirc-localstatedir.patch \
%D%/packages/patches/llvm-for-extempore.patch \ %D%/packages/patches/llvm-for-extempore.patch \
%D%/packages/patches/lm-sensors-hwmon-attrs.patch \ %D%/packages/patches/lm-sensors-hwmon-attrs.patch \

39
gnu/packages/patches/libxslt-CVE-2016-4738.patch Normal file
View File

@ -0,0 +1,39 @@
Fix CVE-2016-4738:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4738
https://bugs.chromium.org/p/chromium/issues/detail?id=619006
Patch copied from upstream source repository:
https://git.gnome.org/browse/libxslt/commit/?id=eb1030de31165b68487f288308f9d1810fed6880
From eb1030de31165b68487f288308f9d1810fed6880 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Fri, 10 Jun 2016 14:23:58 +0200
Subject: [PATCH] Fix heap overread in xsltFormatNumberConversion
An empty decimal-separator could cause a heap overread. This can be
exploited to leak a couple of bytes after the buffer that holds the
pattern string.
Found with afl-fuzz and ASan.
---
libxslt/numbers.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libxslt/numbers.c b/libxslt/numbers.c
index d1549b4..e78c46b 100644
--- a/libxslt/numbers.c
+++ b/libxslt/numbers.c
@@ -1090,7 +1090,8 @@ xsltFormatNumberConversion(xsltDecimalFormatPtr self,
}
/* We have finished the integer part, now work on fraction */
- if (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) {
+ if ( (*the_format != 0) &&
+ (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) ) {
format_info.add_decimal = TRUE;
the_format += xsltUTF8Size(the_format); /* Skip over the decimal */
}
--
2.10.2

9
gnu/packages/xml.scm
View File

@ -147,6 +147,7 @@ project (but it is usable outside of the Gnome platform).")
(define-public libxslt (define-public libxslt
(package (package
(name "libxslt") (name "libxslt")
(replacement libxslt/fixed)
(version "1.1.29") (version "1.1.29")
(source (origin (source (origin
(method url-fetch) (method url-fetch)
@ -168,6 +169,14 @@ project (but it is usable outside of the Gnome platform).")
based on libxml for XML parsing, tree manipulation and XPath support.") based on libxml for XML parsing, tree manipulation and XPath support.")
(license license:x11))) (license license:x11)))
(define libxslt/fixed
(package
(inherit libxslt)
(name "libxslt")
(source (origin
(inherit (package-source libxslt))
(patches (search-patches "libxslt-CVE-2016-4738.patch"))))))
(define-public perl-graph-readwrite (define-public perl-graph-readwrite
(package (package
(name "perl-graph-readwrite") (name "perl-graph-readwrite")