Bug#946159: stretch-pu: package libxslt/1.1.29-2.1+deb9u2

Wed, 04 Dec 2019 06:54:57 -0800 

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu

Hi

This update adresses CVE-2019-18197 as well for stretch (was alredy
done for buster in the last point release). Attaching the resulting
debdiff.

Regards,
Salvatore

diff -Nru libxslt-1.1.29/debian/changelog libxslt-1.1.29/debian/changelog
--- libxslt-1.1.29/debian/changelog     2019-08-24 14:04:13.000000000 +0200
+++ libxslt-1.1.29/debian/changelog     2019-12-04 15:41:16.000000000 +0100
@@ -1,3 +1,10 @@
+libxslt (1.1.29-2.1+deb9u2) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix dangling pointer in xsltCopyText (CVE-2019-18197) (Closes: #942646)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Wed, 04 Dec 2019 15:41:16 +0100
+
 libxslt (1.1.29-2.1+deb9u1) stretch; urgency=medium
 
   * Non-maintainer upload.
diff -Nru 
libxslt-1.1.29/debian/patches/0012-Fix-dangling-pointer-in-xsltCopyText.patch 
libxslt-1.1.29/debian/patches/0012-Fix-dangling-pointer-in-xsltCopyText.patch
--- 
libxslt-1.1.29/debian/patches/0012-Fix-dangling-pointer-in-xsltCopyText.patch   
    1970-01-01 01:00:00.000000000 +0100
+++ 
libxslt-1.1.29/debian/patches/0012-Fix-dangling-pointer-in-xsltCopyText.patch   
    2019-12-04 15:41:16.000000000 +0100
@@ -0,0 +1,35 @@
+From: Nick Wellnhofer <wellnho...@aevum.de>
+Date: Sat, 17 Aug 2019 16:51:53 +0200
+Subject: Fix dangling pointer in xsltCopyText
+Origin: 
https://gitlab.gnome.org/GNOME/libxslt/commit/2232473733b7313d67de8836ea3b29eec6e8e285
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-18197
+Bug-Debian: https://bugs.debian.org/942646
+Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15746
+Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15768
+Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15914
+
+xsltCopyText didn't reset ctxt->lasttext in some cases which could
+lead to various memory errors in relation with CDATA sections in input
+documents.
+
+Found by OSS-Fuzz.
+---
+ libxslt/transform.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index 95ebd0732f95..d7ab0b6677cc 100644
+--- a/libxslt/transform.c
++++ b/libxslt/transform.c
+@@ -1094,6 +1094,8 @@ xsltCopyText(xsltTransformContextPtr ctxt, xmlNodePtr 
target,
+           if ((copy->content = xmlStrdup(cur->content)) == NULL)
+               return NULL;
+       }
++
++      ctxt->lasttext = NULL;
+     } else {
+         /*
+        * normal processing. keep counters to extend the text node
+-- 
+2.20.1
+
diff -Nru libxslt-1.1.29/debian/patches/series 
libxslt-1.1.29/debian/patches/series
--- libxslt-1.1.29/debian/patches/series        2019-08-24 14:04:13.000000000 
+0200
+++ libxslt-1.1.29/debian/patches/series        2019-12-04 15:41:16.000000000 
+0100
@@ -9,3 +9,4 @@
 0009-Fix-security-framework-bypass.patch
 0010-Fix-uninitialized-read-of-xsl-number-token.patch
 0011-Fix-uninitialized-read-with-UTF-8-grouping-chars.patch
+0012-Fix-dangling-pointer-in-xsltCopyText.patch

Reply via email to