summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJoe Slater <joe.slater@windriver.com>2019-10-22 18:59:51 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-10-31 16:07:11 +0000
commit1263db2759b88e423bb717cc0cfc256c7962871b (patch)
tree4b106f55ded0629b05a21a8e1aeff32f9d5e9f06
parent844e7aa217f5ecf46766a07d46f9d7f083668e8e (diff)
downloadopenembedded-core-1263db2759b88e423bb717cc0cfc256c7962871b.tar.gz
openembedded-core-1263db2759b88e423bb717cc0cfc256c7962871b.tar.bz2
openembedded-core-1263db2759b88e423bb717cc0cfc256c7962871b.zip
libxslt: fix CVE-2019-18197
Use patch from upstream after 1.1.33 release. Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
-rw-r--r--meta/recipes-support/libxslt/files/CVE-2019-18197.patch33
-rw-r--r--meta/recipes-support/libxslt/libxslt_1.1.33.bb1
2 files changed, 34 insertions, 0 deletions
diff --git a/meta/recipes-support/libxslt/files/CVE-2019-18197.patch b/meta/recipes-support/libxslt/files/CVE-2019-18197.patch
new file mode 100644
index 0000000000..5f2b620396
--- /dev/null
+++ b/meta/recipes-support/libxslt/files/CVE-2019-18197.patch
@@ -0,0 +1,33 @@
+libxslt: fix CVE-2019-18197
+
+Added after 1.1.33 release.
+
+CVE: CVE-2019-18197
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt.git]
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+
+commit 2232473733b7313d67de8836ea3b29eec6e8e285
+Author: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat Aug 17 16:51:53 2019 +0200
+
+ Fix dangling pointer in xsltCopyText
+
+ xsltCopyText didn't reset ctxt->lasttext in some cases which could
+ lead to various memory errors in relation with CDATA sections in input
+ documents.
+
+ Found by OSS-Fuzz.
+
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index 95ebd07..d7ab0b6 100644
+--- a/libxslt/transform.c
++++ b/libxslt/transform.c
+@@ -1094,6 +1094,8 @@ xsltCopyText(xsltTransformContextPtr ctxt, xmlNodePtr target,
+ if ((copy->content = xmlStrdup(cur->content)) == NULL)
+ return NULL;
+ }
++
++ ctxt->lasttext = NULL;
+ } else {
+ /*
+ * normal processing. keep counters to extend the text node
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.33.bb b/meta/recipes-support/libxslt/libxslt_1.1.33.bb
index abc00a09ea..9f268e7bb0 100644
--- a/meta/recipes-support/libxslt/libxslt_1.1.33.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.33.bb
@@ -12,6 +12,7 @@ SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz \
file://0001-Fix-security-framework-bypass.patch \
file://CVE-2019-13117.patch \
file://CVE-2019-13118.patch \
+ file://CVE-2019-18197.patch \
"
SRC_URI[md5sum] = "b3bd254a03e46d58f8ad1e4559cd2c2f"