Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Hi This update adresses CVE-2019-18197 as well for stretch (was alredy done for buster in the last point release). Attaching the resulting debdiff. Regards, Salvatore
diff -Nru libxslt-1.1.29/debian/changelog libxslt-1.1.29/debian/changelog --- libxslt-1.1.29/debian/changelog 2019-08-24 14:04:13.000000000 +0200 +++ libxslt-1.1.29/debian/changelog 2019-12-04 15:41:16.000000000 +0100 @@ -1,3 +1,10 @@ +libxslt (1.1.29-2.1+deb9u2) stretch; urgency=medium + + * Non-maintainer upload. + * Fix dangling pointer in xsltCopyText (CVE-2019-18197) (Closes: #942646) + + -- Salvatore Bonaccorso <car...@debian.org> Wed, 04 Dec 2019 15:41:16 +0100 + libxslt (1.1.29-2.1+deb9u1) stretch; urgency=medium * Non-maintainer upload. diff -Nru libxslt-1.1.29/debian/patches/0012-Fix-dangling-pointer-in-xsltCopyText.patch libxslt-1.1.29/debian/patches/0012-Fix-dangling-pointer-in-xsltCopyText.patch --- libxslt-1.1.29/debian/patches/0012-Fix-dangling-pointer-in-xsltCopyText.patch 1970-01-01 01:00:00.000000000 +0100 +++ libxslt-1.1.29/debian/patches/0012-Fix-dangling-pointer-in-xsltCopyText.patch 2019-12-04 15:41:16.000000000 +0100 @@ -0,0 +1,35 @@ +From: Nick Wellnhofer <wellnho...@aevum.de> +Date: Sat, 17 Aug 2019 16:51:53 +0200 +Subject: Fix dangling pointer in xsltCopyText +Origin: https://gitlab.gnome.org/GNOME/libxslt/commit/2232473733b7313d67de8836ea3b29eec6e8e285 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-18197 +Bug-Debian: https://bugs.debian.org/942646 +Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15746 +Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15768 +Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15914 + +xsltCopyText didn't reset ctxt->lasttext in some cases which could +lead to various memory errors in relation with CDATA sections in input +documents. + +Found by OSS-Fuzz. +--- + libxslt/transform.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/libxslt/transform.c b/libxslt/transform.c +index 95ebd0732f95..d7ab0b6677cc 100644 +--- a/libxslt/transform.c ++++ b/libxslt/transform.c +@@ -1094,6 +1094,8 @@ xsltCopyText(xsltTransformContextPtr ctxt, xmlNodePtr target, + if ((copy->content = xmlStrdup(cur->content)) == NULL) + return NULL; + } ++ ++ ctxt->lasttext = NULL; + } else { + /* + * normal processing. keep counters to extend the text node +-- +2.20.1 + diff -Nru libxslt-1.1.29/debian/patches/series libxslt-1.1.29/debian/patches/series --- libxslt-1.1.29/debian/patches/series 2019-08-24 14:04:13.000000000 +0200 +++ libxslt-1.1.29/debian/patches/series 2019-12-04 15:41:16.000000000 +0100 @@ -9,3 +9,4 @@ 0009-Fix-security-framework-bypass.patch 0010-Fix-uninitialized-read-of-xsl-number-token.patch 0011-Fix-uninitialized-read-with-UTF-8-grouping-chars.patch +0012-Fix-dangling-pointer-in-xsltCopyText.patch