Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 582962 Details for
Bug 684206
<dev-libs/libxslt-1.1.33-r1: xsltCheckRead and xsltCheckWrite routines security bypass by crafted URL (CVE-2019-11068)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Working version of the patch - no longer downloadable
libxslt-1.1.33-CVE-2019-11068.patch (text/plain), 3.87 KB, created by
Bryant Hansen
on 2019-07-16 09:35:04 UTC
(
hide
)
Description:
Working version of the patch - no longer downloadable
Filename:
MIME Type:
Creator:
Bryant Hansen
Created:
2019-07-16 09:35:04 UTC
Size:
3.87 KB
patch
obsolete
>From e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 Mon Sep 17 00:00:00 2001 >From: Nick Wellnhofer <wellnhofer@aevum.de> >Date: Sun, 24 Mar 2019 09:51:39 +0100 >Subject: [PATCH] Fix security framework bypass > >xsltCheckRead and xsltCheckWrite return -1 in case of error but callers >don't check for this condition and allow access. With a specially >crafted URL, xsltCheckRead could be tricked into returning an error >because of a supposedly invalid URL that would still be loaded >succesfully later on. > >Fixes #12. > >Thanks to Felix Wilhelm for the report. >--- > libxslt/documents.c | 18 ++++++++++-------- > libxslt/imports.c | 9 +++++---- > libxslt/transform.c | 9 +++++---- > libxslt/xslt.c | 9 +++++---- > 4 files changed, 25 insertions(+), 20 deletions(-) > >diff --git a/libxslt/documents.c b/libxslt/documents.c >index 3f3a7312..4aad11bb 100644 >--- a/libxslt/documents.c >+++ b/libxslt/documents.c >@@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) { > int res; > > res = xsltCheckRead(ctxt->sec, ctxt, URI); >- if (res == 0) { >- xsltTransformError(ctxt, NULL, NULL, >- "xsltLoadDocument: read rights for %s denied\n", >- URI); >+ if (res <= 0) { >+ if (res == 0) >+ xsltTransformError(ctxt, NULL, NULL, >+ "xsltLoadDocument: read rights for %s denied\n", >+ URI); > return(NULL); > } > } >@@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) { > int res; > > res = xsltCheckRead(sec, NULL, URI); >- if (res == 0) { >- xsltTransformError(NULL, NULL, NULL, >- "xsltLoadStyleDocument: read rights for %s denied\n", >- URI); >+ if (res <= 0) { >+ if (res == 0) >+ xsltTransformError(NULL, NULL, NULL, >+ "xsltLoadStyleDocument: read rights for %s denied\n", >+ URI); > return(NULL); > } > } >diff --git a/libxslt/imports.c b/libxslt/imports.c >index 874870cc..3783b247 100644 >--- a/libxslt/imports.c >+++ b/libxslt/imports.c >@@ -130,10 +130,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) { > int secres; > > secres = xsltCheckRead(sec, NULL, URI); >- if (secres == 0) { >- xsltTransformError(NULL, NULL, NULL, >- "xsl:import: read rights for %s denied\n", >- URI); >+ if (secres <= 0) { >+ if (secres == 0) >+ xsltTransformError(NULL, NULL, NULL, >+ "xsl:import: read rights for %s denied\n", >+ URI); > goto error; > } > } >diff --git a/libxslt/transform.c b/libxslt/transform.c >index 13793914..0636dbd0 100644 >--- a/libxslt/transform.c >+++ b/libxslt/transform.c >@@ -3493,10 +3493,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node, > */ > if (ctxt->sec != NULL) { > ret = xsltCheckWrite(ctxt->sec, ctxt, filename); >- if (ret == 0) { >- xsltTransformError(ctxt, NULL, inst, >- "xsltDocumentElem: write rights for %s denied\n", >- filename); >+ if (ret <= 0) { >+ if (ret == 0) >+ xsltTransformError(ctxt, NULL, inst, >+ "xsltDocumentElem: write rights for %s denied\n", >+ filename); > xmlFree(URL); > xmlFree(filename); > return; >diff --git a/libxslt/xslt.c b/libxslt/xslt.c >index 780a5ad7..a234eb79 100644 >--- a/libxslt/xslt.c >+++ b/libxslt/xslt.c >@@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) { > int res; > > res = xsltCheckRead(sec, NULL, filename); >- if (res == 0) { >- xsltTransformError(NULL, NULL, NULL, >- "xsltParseStylesheetFile: read rights for %s denied\n", >- filename); >+ if (res <= 0) { >+ if (res == 0) >+ xsltTransformError(NULL, NULL, NULL, >+ "xsltParseStylesheetFile: read rights for %s denied\n", >+ filename); > return(NULL); > } > } >-- >2.18.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 684206
: 582962