diff options
author | Leo Famulari <leo@famulari.name> | 2016-11-08 17:12:01 -0500 |
---|---|---|
committer | Leo Famulari <leo@famulari.name> | 2016-11-09 10:19:49 -0500 |
commit | 0b34b58688ac0d9bc0e2700acf82269e67ccdfa3 (patch) | |
tree | 2c67f3795ec59c682cd96778ff5a16e5f80a1a36 | |
parent | d887f420d2a83616a22671968b5a7d1700b58aec (diff) | |
download | guix-0b34b58688ac0d9bc0e2700acf82269e67ccdfa3.tar.gz guix-0b34b58688ac0d9bc0e2700acf82269e67ccdfa3.zip |
gnu: libxslt: Fix CVE-2016-4738.
* gnu/packages/patches/libxslt-CVE-2016-4738.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/xml.scm (libxslt)[replacement]: New field.
(libxslt/fixed): New variable.
-rw-r--r-- | gnu/local.mk | 1 | ||||
-rw-r--r-- | gnu/packages/patches/libxslt-CVE-2016-4738.patch | 39 | ||||
-rw-r--r-- | gnu/packages/xml.scm | 9 |
3 files changed, 49 insertions, 0 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 396281357a..6e152eb005 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -692,6 +692,7 @@ dist_patch_DATA = \ %D%/packages/patches/libxv-CVE-2016-5407.patch \ %D%/packages/patches/libxvmc-CVE-2016-7953.patch \ %D%/packages/patches/libxslt-generated-ids.patch \ + %D%/packages/patches/libxslt-CVE-2016-4738.patch \ %D%/packages/patches/lirc-localstatedir.patch \ %D%/packages/patches/llvm-for-extempore.patch \ %D%/packages/patches/lm-sensors-hwmon-attrs.patch \ diff --git a/gnu/packages/patches/libxslt-CVE-2016-4738.patch b/gnu/packages/patches/libxslt-CVE-2016-4738.patch new file mode 100644 index 0000000000..a7537c66ca --- /dev/null +++ b/gnu/packages/patches/libxslt-CVE-2016-4738.patch @@ -0,0 +1,39 @@ +Fix CVE-2016-4738: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4738 +https://bugs.chromium.org/p/chromium/issues/detail?id=619006 + +Patch copied from upstream source repository: +https://git.gnome.org/browse/libxslt/commit/?id=eb1030de31165b68487f288308f9d1810fed6880 + +From eb1030de31165b68487f288308f9d1810fed6880 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Fri, 10 Jun 2016 14:23:58 +0200 +Subject: [PATCH] Fix heap overread in xsltFormatNumberConversion + +An empty decimal-separator could cause a heap overread. This can be +exploited to leak a couple of bytes after the buffer that holds the +pattern string. + +Found with afl-fuzz and ASan. +--- + libxslt/numbers.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libxslt/numbers.c b/libxslt/numbers.c +index d1549b4..e78c46b 100644 +--- a/libxslt/numbers.c ++++ b/libxslt/numbers.c +@@ -1090,7 +1090,8 @@ xsltFormatNumberConversion(xsltDecimalFormatPtr self, + } + + /* We have finished the integer part, now work on fraction */ +- if (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) { ++ if ( (*the_format != 0) && ++ (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) ) { + format_info.add_decimal = TRUE; + the_format += xsltUTF8Size(the_format); /* Skip over the decimal */ + } +-- +2.10.2 + diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index 879b37a337..d6c034bc26 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -147,6 +147,7 @@ project (but it is usable outside of the Gnome platform).") (define-public libxslt (package (name "libxslt") + (replacement libxslt/fixed) (version "1.1.29") (source (origin (method url-fetch) @@ -168,6 +169,14 @@ project (but it is usable outside of the Gnome platform).") based on libxml for XML parsing, tree manipulation and XPath support.") (license license:x11))) +(define libxslt/fixed + (package + (inherit libxslt) + (name "libxslt") + (source (origin + (inherit (package-source libxslt)) + (patches (search-patches "libxslt-CVE-2016-4738.patch")))))) + (define-public perl-graph-readwrite (package (name "perl-graph-readwrite") |