gnu: libxslt: Fix CVE-2016-4738.
* gnu/packages/patches/libxslt-CVE-2016-4738.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/xml.scm (libxslt)[replacement]: New field. (libxslt/fixed): New variable.
This commit is contained in:
parent
d887f420d2
commit
0b34b58688
@ -692,6 +692,7 @@ dist_patch_DATA = \
|
||||
%D%/packages/patches/libxv-CVE-2016-5407.patch \
|
||||
%D%/packages/patches/libxvmc-CVE-2016-7953.patch \
|
||||
%D%/packages/patches/libxslt-generated-ids.patch \
|
||||
%D%/packages/patches/libxslt-CVE-2016-4738.patch \
|
||||
%D%/packages/patches/lirc-localstatedir.patch \
|
||||
%D%/packages/patches/llvm-for-extempore.patch \
|
||||
%D%/packages/patches/lm-sensors-hwmon-attrs.patch \
|
||||
|
39
gnu/packages/patches/libxslt-CVE-2016-4738.patch
Normal file
39
gnu/packages/patches/libxslt-CVE-2016-4738.patch
Normal file
@ -0,0 +1,39 @@
|
||||
Fix CVE-2016-4738:
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4738
|
||||
https://bugs.chromium.org/p/chromium/issues/detail?id=619006
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
https://git.gnome.org/browse/libxslt/commit/?id=eb1030de31165b68487f288308f9d1810fed6880
|
||||
|
||||
From eb1030de31165b68487f288308f9d1810fed6880 Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Fri, 10 Jun 2016 14:23:58 +0200
|
||||
Subject: [PATCH] Fix heap overread in xsltFormatNumberConversion
|
||||
|
||||
An empty decimal-separator could cause a heap overread. This can be
|
||||
exploited to leak a couple of bytes after the buffer that holds the
|
||||
pattern string.
|
||||
|
||||
Found with afl-fuzz and ASan.
|
||||
---
|
||||
libxslt/numbers.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libxslt/numbers.c b/libxslt/numbers.c
|
||||
index d1549b4..e78c46b 100644
|
||||
--- a/libxslt/numbers.c
|
||||
+++ b/libxslt/numbers.c
|
||||
@@ -1090,7 +1090,8 @@ xsltFormatNumberConversion(xsltDecimalFormatPtr self,
|
||||
}
|
||||
|
||||
/* We have finished the integer part, now work on fraction */
|
||||
- if (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) {
|
||||
+ if ( (*the_format != 0) &&
|
||||
+ (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) ) {
|
||||
format_info.add_decimal = TRUE;
|
||||
the_format += xsltUTF8Size(the_format); /* Skip over the decimal */
|
||||
}
|
||||
--
|
||||
2.10.2
|
||||
|
@ -147,6 +147,7 @@ project (but it is usable outside of the Gnome platform).")
|
||||
(define-public libxslt
|
||||
(package
|
||||
(name "libxslt")
|
||||
(replacement libxslt/fixed)
|
||||
(version "1.1.29")
|
||||
(source (origin
|
||||
(method url-fetch)
|
||||
@ -168,6 +169,14 @@ project (but it is usable outside of the Gnome platform).")
|
||||
based on libxml for XML parsing, tree manipulation and XPath support.")
|
||||
(license license:x11)))
|
||||
|
||||
(define libxslt/fixed
|
||||
(package
|
||||
(inherit libxslt)
|
||||
(name "libxslt")
|
||||
(source (origin
|
||||
(inherit (package-source libxslt))
|
||||
(patches (search-patches "libxslt-CVE-2016-4738.patch"))))))
|
||||
|
||||
(define-public perl-graph-readwrite
|
||||
(package
|
||||
(name "perl-graph-readwrite")
|
||||
|
Loading…
Reference in New Issue
Block a user