Bug#620560: NMU 1.2.14-1.1 to fix this bug

Sat, 09 Apr 2011 12:41:00 -0700 

Hi,

I'll upload 1.2.14-1.1 to address this security issue according to attached 
patch.


Cheers,
Thijs

diff -u xmlsec1-1.2.14/debian/changelog xmlsec1-1.2.14/debian/changelog
--- xmlsec1-1.2.14/debian/changelog
+++ xmlsec1-1.2.14/debian/changelog
@@ -1,3 +1,11 @@
+xmlsec1 (1.2.14-1.1) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Apply patch from upstream addressing arbitrary file overwrite
+    (CVE-2011-1425, closes: #620560).
+
+ -- Thijs Kinkhorst <th...@debian.org>  Sat, 09 Apr 2011 17:40:24 +0200
+
 xmlsec1 (1.2.14-1) unstable; urgency=low
 
   * New upstream release, fixes CVE-2009-3736 (Closes: #559831)
only in patch2:
unchanged:
--- xmlsec1-1.2.14.orig/apps/xmlsec.c
+++ xmlsec1-1.2.14/apps/xmlsec.c
@@ -24,6 +24,7 @@
 #include <libxslt/extensions.h> 
 #include <libxslt/xsltInternals.h>
 #include <libxslt/xsltutils.h>
+#include <libxslt/security.h>
 #include <libexslt/exslt.h>
 #endif /* XMLSEC_NO_XSLT */
 
@@ -2400,6 +2401,11 @@
 }
 
 static int intialized = 0;
+
+#ifndef XMLSEC_NO_XSLT
+static xsltSecurityPrefsPtr xsltSecPrefs = NULL;
+#endif /* XMLSEC_NO_XSLT */
+
 static int
 xmlSecAppInit(void) {
     if(intialized != 0) {
@@ -2414,7 +2420,20 @@
 #ifndef XMLSEC_NO_XSLT
     xmlIndentTreeOutput = 1; 
 #endif /* XMLSEC_NO_XSLT */
-        	
+    
+
+    /* Init libxslt */
+#ifndef XMLSEC_NO_XSLT
+    /* disable everything */
+    xsltSecPrefs = xsltNewSecurityPrefs(); 
+    xsltSetSecurityPrefs(xsltSecPrefs,  XSLT_SECPREF_READ_FILE,        xsltSecurityForbid);
+    xsltSetSecurityPrefs(xsltSecPrefs,  XSLT_SECPREF_WRITE_FILE,       xsltSecurityForbid);
+    xsltSetSecurityPrefs(xsltSecPrefs,  XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid);
+    xsltSetSecurityPrefs(xsltSecPrefs,  XSLT_SECPREF_READ_NETWORK,     xsltSecurityForbid);
+    xsltSetSecurityPrefs(xsltSecPrefs,  XSLT_SECPREF_WRITE_NETWORK,    xsltSecurityForbid);
+    xsltSetDefaultSecurityPrefs(xsltSecPrefs); 
+#endif /* XMLSEC_NO_XSLT */                
+    	
     /* Init xmlsec */
     if(xmlSecInit() < 0) {
 	fprintf(stderr, "Error: xmlsec intialization failed.\n");
@@ -2461,6 +2480,7 @@
     
     /* Shutdown libxslt/libxml */
 #ifndef XMLSEC_NO_XSLT
+    xsltFreeSecurityPrefs(xsltSecPrefs);
     xsltCleanupGlobals();            
 #endif /* XMLSEC_NO_XSLT */
     xmlCleanupParser();

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to