gnu: libxslt: Fix CVE-2017-5029 and re-apply the fix for CVE-2016-4738.

This is a followup to commit 2663c38826. * gnu/packages/xml.scm (libxslt)[replacement]: New field. (libxslt/fixed): New variable. * gnu/packages/patches/libxslt-CVE-2017-5029.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it.
2017-12-21 02:12:55 -05:00 · 2017-12-21 02:12:55 -05:00 · 0c9c9526bb
parent 2a0e3d1635
commit 0c9c9526bb
3 changed files with 97 additions and 1 deletions
--- a/gnu/local.mk
+++ b/gnu/local.mk
@ -851,6 +851,7 @@ dist_patch_DATA =						\
  %D%/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch	\
  %D%/packages/patches/libxslt-generated-ids.patch		\
  %D%/packages/patches/libxslt-CVE-2016-4738.patch		\
  %D%/packages/patches/libxslt-CVE-2017-5029.patch		\
  %D%/packages/patches/libxt-guix-search-paths.patch		\
  %D%/packages/patches/lierolibre-check-unaligned-access.patch	\
  %D%/packages/patches/lierolibre-is-free-software.patch	\
--- a/gnu/packages/patches/libxslt-CVE-2017-5029.patch
+++ b/gnu/packages/patches/libxslt-CVE-2017-5029.patch
@ -0,0 +1,82 @@
 Fix CVE-2017-5029:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5029
 Patch copied from upstream source repository:
 https://git.gnome.org/browse/libxslt/commit/?id=08ab2774b870de1c7b5a48693df75e8154addae5
 From 08ab2774b870de1c7b5a48693df75e8154addae5 Mon Sep 17 00:00:00 2001
 From: Nick Wellnhofer <wellnhofer@aevum.de>
 Date: Thu, 12 Jan 2017 15:39:52 +0100
 Subject: [PATCH] Check for integer overflow in xsltAddTextString
 Limit buffer size in xsltAddTextString to INT_MAX. The issue can be
 exploited to trigger an out of bounds write on 64-bit systems.
 Originally reported to Chromium:
 https://crbug.com/676623
 ---
 libxslt/transform.c     | 25 ++++++++++++++++++++++---
 libxslt/xsltInternals.h |  4 ++--
 2 files changed, 24 insertions(+), 5 deletions(-)
 diff --git a/libxslt/transform.c b/libxslt/transform.c
 index 519133fc..02bff34a 100644
 --- a/libxslt/transform.c
 +++ b/libxslt/transform.c
@@ -813,13 +813,32 @@ xsltAddTextString(xsltTransformContextPtr ctxt, xmlNodePtr target,
         return(target);
     if (ctxt->lasttext == target->content) {
 +        int minSize;
 -	if (ctxt->lasttuse + len >= ctxt->lasttsize) {
 +        /* Check for integer overflow accounting for NUL terminator. */
 +        if (len >= INT_MAX - ctxt->lasttuse) {
 +            xsltTransformError(ctxt, NULL, target,
 +                "xsltCopyText: text allocation failed\n");
 +            return(NULL);
 +        }
 +        minSize = ctxt->lasttuse + len + 1;
 +
 +        if (ctxt->lasttsize < minSize) {
 	    xmlChar *newbuf;
 	    int size;
 +            int extra;
 +
 +            /* Double buffer size but increase by at least 100 bytes. */
 +            extra = minSize < 100 ? 100 : minSize;
 +
 +            /* Check for integer overflow. */
 +            if (extra > INT_MAX - ctxt->lasttsize) {
 +                size = INT_MAX;
 +            }
 +            else {
 +                size = ctxt->lasttsize + extra;
 +            }
 -	    size = ctxt->lasttsize + len + 100;
 -	    size *= 2;
 	    newbuf = (xmlChar *) xmlRealloc(target->content,size);
 	    if (newbuf == NULL) {
 		xsltTransformError(ctxt, NULL, target,
 diff --git a/libxslt/xsltInternals.h b/libxslt/xsltInternals.h
 index 060b1783..5ad17719 100644
 --- a/libxslt/xsltInternals.h
 +++ b/libxslt/xsltInternals.h
@@ -1754,8 +1754,8 @@ struct _xsltTransformContext {
      * Speed optimization when coalescing text nodes
      */
     const xmlChar  *lasttext;		/* last text node content */
 -    unsigned int    lasttsize;		/* last text node size */
 -    unsigned int    lasttuse;		/* last text node use */
 +    int             lasttsize;		/* last text node size */
 +    int             lasttuse;		/* last text node use */
     /*
      * Per Context Debugging
      */
 -- 
 2.15.1
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@ -188,12 +188,16 @@ project (but it is usable outside of the Gnome platform).")
 (define-public libxslt
  (package
    (name "libxslt")
    (replacement libxslt/fixed)
    (version "1.1.29")
    (source (origin
             (method url-fetch)
             (uri (string-append "ftp://xmlsoft.org/libxslt/libxslt-"
                                 version ".tar.gz"))
-             (patches (search-patches "libxslt-CVE-2016-4738.patch"))
+             ;; XXX Oops, the patches field is redefined below, which means the
             ;; patch for CVE-2016-4738 was not used. Fixed in the definition of
             ;; libxslt/fixed below.
             ;(patches (search-patches "libxslt-CVE-2016-4738.patch"))
             (sha256
              (base32
               "1klh81xbm9ppzgqk339097i39b7fnpmlj8lzn8bpczl3aww6x5xm"))
@ -210,6 +214,15 @@ project (but it is usable outside of the Gnome platform).")
 based on libxml for XML parsing, tree manipulation and XPath support.")
    (license license:x11)))
 (define libxslt/fixed
  (package
    (inherit libxslt)
    (source (origin
              (inherit (package-source libxslt))
              (patches (search-patches "libxslt-CVE-2016-4738.patch"
                                       "libxslt-CVE-2017-5029.patch"
                                       "libxslt-generated-ids.patch"))))))
 (define-public perl-graph-readwrite
  (package
    (name "perl-graph-readwrite")