libxslt: add multiple security patches
Add security patches for CVE-2011-1202 and CVE-2011-3970. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
This commit is contained in:
Gustavo Zacarias
Peter Korsgaard
parent
9ae23e3911
commit
584dbc2f0a
56
package/libxslt/libxslt-1.1.26-id-generation.patch
Normal file
56
package/libxslt/libxslt-1.1.26-id-generation.patch
Normal file
@ -0,0 +1,56 @@
|
|||||||
|
From ecb6bcb8d1b7e44842edde3929f412d46b40c89f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Veillard <veillard@redhat.com>
|
||||||
|
Date: Tue, 22 Feb 2011 02:14:23 +0000
|
||||||
|
Subject: Fix generate-id() to not expose object addresses
|
||||||
|
|
||||||
|
As pointed out by Chris Evans <scarybeasts@gmail.com> it's better
|
||||||
|
security wise to not expose object addresses directly, use a diff
|
||||||
|
w.r.t. the document root own address to avoid this
|
||||||
|
* libxslt/functions.c: fix IDs generation code
|
||||||
|
---
|
||||||
|
diff --git a/libxslt/functions.c b/libxslt/functions.c
|
||||||
|
index 4720c7a..de962f4 100644
|
||||||
|
--- a/libxslt/functions.c
|
||||||
|
+++ b/libxslt/functions.c
|
||||||
|
@@ -654,8 +654,9 @@ xsltFormatNumberFunction(xmlXPathParserContextPtr ctxt, int nargs)
|
||||||
|
void
|
||||||
|
xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
|
||||||
|
xmlNodePtr cur = NULL;
|
||||||
|
- unsigned long val;
|
||||||
|
- xmlChar str[20];
|
||||||
|
+ long val;
|
||||||
|
+ xmlChar str[30];
|
||||||
|
+ xmlDocPtr doc;
|
||||||
|
|
||||||
|
if (nargs == 0) {
|
||||||
|
cur = ctxt->context->node;
|
||||||
|
@@ -694,9 +695,24 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
|
||||||
|
* Okay this is ugly but should work, use the NodePtr address
|
||||||
|
* to forge the ID
|
||||||
|
*/
|
||||||
|
- val = (unsigned long)((char *)cur - (char *)0);
|
||||||
|
- val /= sizeof(xmlNode);
|
||||||
|
- sprintf((char *)str, "id%ld", val);
|
||||||
|
+ if (cur->type != XML_NAMESPACE_DECL)
|
||||||
|
+ doc = cur->doc;
|
||||||
|
+ else {
|
||||||
|
+ xmlNsPtr ns = (xmlNsPtr) cur;
|
||||||
|
+
|
||||||
|
+ if (ns->context != NULL)
|
||||||
|
+ doc = ns->context;
|
||||||
|
+ else
|
||||||
|
+ doc = ctxt->context->doc;
|
||||||
|
+
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ val = (long)((char *)cur - (char *)doc);
|
||||||
|
+ if (val >= 0) {
|
||||||
|
+ sprintf((char *)str, "idp%ld", val);
|
||||||
|
+ } else {
|
||||||
|
+ sprintf((char *)str, "idm%ld", -val);
|
||||||
|
+ }
|
||||||
|
valuePush(ctxt, xmlXPathNewString(str));
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
cgit v0.8.3.4
|
||||||
@ -0,0 +1,27 @@
|
|||||||
|
From fe5a4fa33eb85bce3253ed3742b1ea6c4b59b41b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Abhishek Arya <inferno@chromium.org>
|
||||||
|
Date: Sun, 22 Jan 2012 17:47:50 +0800
|
||||||
|
Subject: [PATCH] Fix some case of pattern parsing errors
|
||||||
|
|
||||||
|
We could accidentally hit an off by one string array access
|
||||||
|
due to improper loop exit when parsing patterns
|
||||||
|
---
|
||||||
|
libxslt/pattern.c | 2 ++
|
||||||
|
1 files changed, 2 insertions(+), 0 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/libxslt/pattern.c b/libxslt/pattern.c
|
||||||
|
index 6161376..1155b54 100644
|
||||||
|
--- a/libxslt/pattern.c
|
||||||
|
+++ b/libxslt/pattern.c
|
||||||
|
@@ -1867,6 +1867,8 @@ xsltCompilePatternInternal(const xmlChar *pattern, xmlDocPtr doc,
|
||||||
|
while ((pattern[end] != 0) && (pattern[end] != '"'))
|
||||||
|
end++;
|
||||||
|
}
|
||||||
|
+ if (pattern[end] == 0)
|
||||||
|
+ break;
|
||||||
|
end++;
|
||||||
|
}
|
||||||
|
if (current == end) {
|
||||||
|
--
|
||||||
|
1.7.8.4
|
||||||
|
|
||||||
Loading…
Reference in New Issue
Block a user