aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLeo Famulari <leo@famulari.name>2016-11-08 17:12:01 -0500
committerLeo Famulari <leo@famulari.name>2016-11-09 10:19:49 -0500
commit0b34b58688ac0d9bc0e2700acf82269e67ccdfa3 (patch)
tree2c67f3795ec59c682cd96778ff5a16e5f80a1a36
parentd887f420d2a83616a22671968b5a7d1700b58aec (diff)
downloadguix-0b34b58688ac0d9bc0e2700acf82269e67ccdfa3.tar.gz
guix-0b34b58688ac0d9bc0e2700acf82269e67ccdfa3.zip
gnu: libxslt: Fix CVE-2016-4738.
* gnu/packages/patches/libxslt-CVE-2016-4738.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/xml.scm (libxslt)[replacement]: New field. (libxslt/fixed): New variable.
-rw-r--r--gnu/local.mk1
-rw-r--r--gnu/packages/patches/libxslt-CVE-2016-4738.patch39
-rw-r--r--gnu/packages/xml.scm9
3 files changed, 49 insertions, 0 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index 396281357a..6e152eb005 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -692,6 +692,7 @@ dist_patch_DATA = \
%D%/packages/patches/libxv-CVE-2016-5407.patch \
%D%/packages/patches/libxvmc-CVE-2016-7953.patch \
%D%/packages/patches/libxslt-generated-ids.patch \
+ %D%/packages/patches/libxslt-CVE-2016-4738.patch \
%D%/packages/patches/lirc-localstatedir.patch \
%D%/packages/patches/llvm-for-extempore.patch \
%D%/packages/patches/lm-sensors-hwmon-attrs.patch \
diff --git a/gnu/packages/patches/libxslt-CVE-2016-4738.patch b/gnu/packages/patches/libxslt-CVE-2016-4738.patch
new file mode 100644
index 0000000000..a7537c66ca
--- /dev/null
+++ b/gnu/packages/patches/libxslt-CVE-2016-4738.patch
@@ -0,0 +1,39 @@
+Fix CVE-2016-4738:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4738
+https://bugs.chromium.org/p/chromium/issues/detail?id=619006
+
+Patch copied from upstream source repository:
+https://git.gnome.org/browse/libxslt/commit/?id=eb1030de31165b68487f288308f9d1810fed6880
+
+From eb1030de31165b68487f288308f9d1810fed6880 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Fri, 10 Jun 2016 14:23:58 +0200
+Subject: [PATCH] Fix heap overread in xsltFormatNumberConversion
+
+An empty decimal-separator could cause a heap overread. This can be
+exploited to leak a couple of bytes after the buffer that holds the
+pattern string.
+
+Found with afl-fuzz and ASan.
+---
+ libxslt/numbers.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index d1549b4..e78c46b 100644
+--- a/libxslt/numbers.c
++++ b/libxslt/numbers.c
+@@ -1090,7 +1090,8 @@ xsltFormatNumberConversion(xsltDecimalFormatPtr self,
+ }
+
+ /* We have finished the integer part, now work on fraction */
+- if (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) {
++ if ( (*the_format != 0) &&
++ (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) ) {
+ format_info.add_decimal = TRUE;
+ the_format += xsltUTF8Size(the_format); /* Skip over the decimal */
+ }
+--
+2.10.2
+
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index 879b37a337..d6c034bc26 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -147,6 +147,7 @@ project (but it is usable outside of the Gnome platform).")
(define-public libxslt
(package
(name "libxslt")
+ (replacement libxslt/fixed)
(version "1.1.29")
(source (origin
(method url-fetch)
@@ -168,6 +169,14 @@ project (but it is usable outside of the Gnome platform).")
based on libxml for XML parsing, tree manipulation and XPath support.")
(license license:x11)))
+(define libxslt/fixed
+ (package
+ (inherit libxslt)
+ (name "libxslt")
+ (source (origin
+ (inherit (package-source libxslt))
+ (patches (search-patches "libxslt-CVE-2016-4738.patch"))))))
+
(define-public perl-graph-readwrite
(package
(name "perl-graph-readwrite")