From: "Sam James" <sam@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] repo/gentoo:master commit in: dev-libs/libxslt/, dev-libs/libxslt/files/
Date: Fri, 29 Oct 2021 15:28:39 +0000 (UTC) [thread overview]
Message-ID: <1635521304.76c0287bfb98ed25b63c9ad892fa6a1ee1c87dc0.sam@gentoo> (raw)
commit: 76c0287bfb98ed25b63c9ad892fa6a1ee1c87dc0
Author: Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Fri Oct 29 15:26:36 2021 +0000
Commit: Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Fri Oct 29 15:28:24 2021 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=76c0287b
dev-libs/libxslt: fix tests with newer libxml2; patch CVE-2021-30560
Note that we're now depending on >= .11 of libxml2 just to be safe,
even though some of the patches seem to have compatibility guards,
not all do - and upstream develop these in tandem anyway.
Closes: https://bugs.gentoo.org/790218
Bug: https://bugs.gentoo.org/820722
Signed-off-by: Sam James <sam <AT> gentoo.org>
.../files/libxslt-1.1.34-CVE-2021-30560.patch | 194 +++++++++++++++++++++
.../files/libxslt-1.1.34-libxml2-2.9.12.patch | 120 +++++++++++++
dev-libs/libxslt/libxslt-1.1.34-r2.ebuild | 72 ++++++++
3 files changed, 386 insertions(+)
diff --git a/dev-libs/libxslt/files/libxslt-1.1.34-CVE-2021-30560.patch b/dev-libs/libxslt/files/libxslt-1.1.34-CVE-2021-30560.patch
new file mode 100644
index 00000000000..dcda176c513
--- /dev/null
+++ b/dev-libs/libxslt/files/libxslt-1.1.34-CVE-2021-30560.patch
@@ -0,0 +1,194 @@
+https://gitlab.gnome.org/GNOME/libxslt/-/issues/56
+https://gitlab.gnome.org/GNOME/libxslt/-/commit/50f9c9cd3b7dfe9b3c8c795247752d1fdcadcac8
+https://gitlab.gnome.org/GNOME/libxslt/-/issues/51
+https://bugs.gentoo.org/790218
+
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 12 Jun 2021 20:02:53 +0200
+Subject: [PATCH] Fix use-after-free in xsltApplyTemplates
+
+xsltApplyTemplates without a select expression could delete nodes in
+the source document.
+
+1. Text nodes with strippable whitespace
+
+Whitespace from input documents is already stripped, so there's no
+need to strip it again. Under certain circumstances, xsltApplyTemplates
+could be fooled into deleting text nodes that are still referenced,
+resulting in a use-after-free.
+
+2. The DTD
+
+The DTD was only unlinked, but there's no good reason to do this just
+now. Maybe it was meant as a micro-optimization.
+
+3. Unknown nodes
+
+Useless and dangerous as well, especially with XInclude nodes.
+See https://gitlab.gnome.org/GNOME/libxml2/-/issues/268
+
+Simply stop trying to uselessly delete nodes when applying a template.
+This part of the code is probably a leftover from a time where
+xsltApplyStripSpaces wasn't implemented yet. Also note that
+xsltApplyTemplates with a select expression never tried to delete
+nodes.
+
+Also stop xsltDefaultProcessOneNode from deleting nodes for the same
+reasons.
+
+This fixes CVE-2021-30560.
+--- a/libxslt/transform.c
++++ b/libxslt/transform.c
+@@ -1895,7 +1895,7 @@ static void
+ xsltDefaultProcessOneNode(xsltTransformContextPtr ctxt, xmlNodePtr node,
+ xsltStackElemPtr params) {
+ xmlNodePtr copy;
+- xmlNodePtr delete = NULL, cur;
++ xmlNodePtr cur;
+ int nbchild = 0, oldSize;
+ int childno = 0, oldPos;
+ xsltTemplatePtr template;
+@@ -1968,54 +1968,13 @@ xsltDefaultProcessOneNode(xsltTransformContextPtr ctxt, xmlNodePtr node,
+ return;
+ }
+ /*
+- * Handling of Elements: first pass, cleanup and counting
++ * Handling of Elements: first pass, counting
+ */
+ cur = node->children;
+ while (cur != NULL) {
+- switch (cur->type) {
+- case XML_TEXT_NODE:
+- case XML_CDATA_SECTION_NODE:
+- case XML_DOCUMENT_NODE:
+- case XML_HTML_DOCUMENT_NODE:
+- case XML_ELEMENT_NODE:
+- case XML_PI_NODE:
+- case XML_COMMENT_NODE:
+- nbchild++;
+- break;
+- case XML_DTD_NODE:
+- /* Unlink the DTD, it's still reachable using doc->intSubset */
+- if (cur->next != NULL)
+- cur->next->prev = cur->prev;
+- if (cur->prev != NULL)
+- cur->prev->next = cur->next;
+- break;
+- default:
+-#ifdef WITH_XSLT_DEBUG_PROCESS
+- XSLT_TRACE(ctxt,XSLT_TRACE_PROCESS_NODE,xsltGenericDebug(xsltGenericDebugContext,
+- "xsltDefaultProcessOneNode: skipping node type %d\n",
+- cur->type));
+-#endif
+- delete = cur;
+- }
++ if (IS_XSLT_REAL_NODE(cur))
++ nbchild++;
+ cur = cur->next;
+- if (delete != NULL) {
+-#ifdef WITH_XSLT_DEBUG_PROCESS
+- XSLT_TRACE(ctxt,XSLT_TRACE_PROCESS_NODE,xsltGenericDebug(xsltGenericDebugContext,
+- "xsltDefaultProcessOneNode: removing ignorable blank node\n"));
+-#endif
+- xmlUnlinkNode(delete);
+- xmlFreeNode(delete);
+- delete = NULL;
+- }
+- }
+- if (delete != NULL) {
+-#ifdef WITH_XSLT_DEBUG_PROCESS
+- XSLT_TRACE(ctxt,XSLT_TRACE_PROCESS_NODE,xsltGenericDebug(xsltGenericDebugContext,
+- "xsltDefaultProcessOneNode: removing ignorable blank node\n"));
+-#endif
+- xmlUnlinkNode(delete);
+- xmlFreeNode(delete);
+- delete = NULL;
+ }
+
+ /*
+@@ -4864,7 +4823,7 @@ xsltApplyTemplates(xsltTransformContextPtr ctxt, xmlNodePtr node,
+ xsltStylePreCompPtr comp = (xsltStylePreCompPtr) castedComp;
+ #endif
+ int i;
+- xmlNodePtr cur, delNode = NULL, oldContextNode;
++ xmlNodePtr cur, oldContextNode;
+ xmlNodeSetPtr list = NULL, oldList;
+ xsltStackElemPtr withParams = NULL;
+ int oldXPProximityPosition, oldXPContextSize;
+@@ -4998,73 +4957,9 @@ xsltApplyTemplates(xsltTransformContextPtr ctxt, xmlNodePtr node,
+ else
+ cur = NULL;
+ while (cur != NULL) {
+- switch (cur->type) {
+- case XML_TEXT_NODE:
+- if ((IS_BLANK_NODE(cur)) &&
+- (cur->parent != NULL) &&
+- (cur->parent->type == XML_ELEMENT_NODE) &&
+- (ctxt->style->stripSpaces != NULL)) {
+- const xmlChar *val;
+-
+- if (cur->parent->ns != NULL) {
+- val = (const xmlChar *)
+- xmlHashLookup2(ctxt->style->stripSpaces,
+- cur->parent->name,
+- cur->parent->ns->href);
+- if (val == NULL) {
+- val = (const xmlChar *)
+- xmlHashLookup2(ctxt->style->stripSpaces,
+- BAD_CAST "*",
+- cur->parent->ns->href);
+- }
+- } else {
+- val = (const xmlChar *)
+- xmlHashLookup2(ctxt->style->stripSpaces,
+- cur->parent->name, NULL);
+- }
+- if ((val != NULL) &&
+- (xmlStrEqual(val, (xmlChar *) "strip"))) {
+- delNode = cur;
+- break;
+- }
+- }
+- /* Intentional fall-through */
+- case XML_ELEMENT_NODE:
+- case XML_DOCUMENT_NODE:
+- case XML_HTML_DOCUMENT_NODE:
+- case XML_CDATA_SECTION_NODE:
+- case XML_PI_NODE:
+- case XML_COMMENT_NODE:
+- xmlXPathNodeSetAddUnique(list, cur);
+- break;
+- case XML_DTD_NODE:
+- /* Unlink the DTD, it's still reachable
+- * using doc->intSubset */
+- if (cur->next != NULL)
+- cur->next->prev = cur->prev;
+- if (cur->prev != NULL)
+- cur->prev->next = cur->next;
+- break;
+- case XML_NAMESPACE_DECL:
+- break;
+- default:
+-#ifdef WITH_XSLT_DEBUG_PROCESS
+- XSLT_TRACE(ctxt,XSLT_TRACE_APPLY_TEMPLATES,xsltGenericDebug(xsltGenericDebugContext,
+- "xsltApplyTemplates: skipping cur type %d\n",
+- cur->type));
+-#endif
+- delNode = cur;
+- }
++ if (IS_XSLT_REAL_NODE(cur))
++ xmlXPathNodeSetAddUnique(list, cur);
+ cur = cur->next;
+- if (delNode != NULL) {
+-#ifdef WITH_XSLT_DEBUG_PROCESS
+- XSLT_TRACE(ctxt,XSLT_TRACE_APPLY_TEMPLATES,xsltGenericDebug(xsltGenericDebugContext,
+- "xsltApplyTemplates: removing ignorable blank cur\n"));
+-#endif
+- xmlUnlinkNode(delNode);
+- xmlFreeNode(delNode);
+- delNode = NULL;
+- }
+ }
+ }
+
+GitLab
diff --git a/dev-libs/libxslt/files/libxslt-1.1.34-libxml2-2.9.12.patch b/dev-libs/libxslt/files/libxslt-1.1.34-libxml2-2.9.12.patch
new file mode 100644
index 00000000000..635fb576d3d
--- /dev/null
+++ b/dev-libs/libxslt/files/libxslt-1.1.34-libxml2-2.9.12.patch
@@ -0,0 +1,120 @@
+https://gitlab.gnome.org/GNOME/libxslt/-/commit/9ae2f94df1721e002941b40665efb762aefcea1a
+https://gitlab.gnome.org/GNOME/libxslt/-/commit/824657768aea2cce9c23e72ba8085cb5e44350c7
+https://gitlab.gnome.org/GNOME/libxslt/-/commit/77c26bad0433541f486b1e7ced44ca9979376908
+
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 17 Aug 2020 03:42:11 +0200
+Subject: [PATCH] Stop using maxParserDepth XPath limit
+
+This will be removed again from libxml2.
+--- a/tests/fuzz/fuzz.c
++++ b/tests/fuzz/fuzz.c
+@@ -183,8 +183,7 @@ xsltFuzzXPathInit(int *argc_p ATTRIBUTE_UNUSED, char ***argv_p,
+ xpctxt = tctxt->xpathCtxt;
+
+ /* Resource limits to avoid timeouts and call stack overflows */
+- xpctxt->maxParserDepth = 15;
+- xpctxt->maxDepth = 100;
++ xpctxt->maxDepth = 500;
+ xpctxt->opLimit = 500000;
+
+ /* Test namespaces used in xpath.xml */
+@@ -317,8 +316,7 @@ xsltFuzzXsltInit(int *argc_p ATTRIBUTE_UNUSED, char ***argv_p,
+
+ static void
+ xsltSetXPathResourceLimits(xmlXPathContextPtr ctxt) {
+- ctxt->maxParserDepth = 15;
+- ctxt->maxDepth = 100;
++ ctxt->maxDepth = 200;
+ ctxt->opLimit = 100000;
+ }
+
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 17 Aug 2020 04:27:13 +0200
+Subject: [PATCH] Transfer XPath limits to XPtr context
+
+Expressions like document('doc.xml#xpointer(evil_expr)') ignored the
+XPath limits.
+--- a/libxslt/functions.c
++++ b/libxslt/functions.c
+@@ -178,10 +178,22 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt, xmlChar* URI)
+ goto out_fragment;
+ }
+
++#if LIBXML_VERSION >= 20911 || \
++ defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION)
++ xptrctxt->opLimit = ctxt->context->opLimit;
++ xptrctxt->opCount = ctxt->context->opCount;
++ xptrctxt->maxDepth = ctxt->context->maxDepth - ctxt->context->depth;
++
++ resObj = xmlXPtrEval(fragment, xptrctxt);
++
++ ctxt->context->opCount = xptrctxt->opCount;
++#else
+ resObj = xmlXPtrEval(fragment, xptrctxt);
+- xmlXPathFreeContext(xptrctxt);
+ #endif
+
++ xmlXPathFreeContext(xptrctxt);
++#endif /* LIBXML_XPTR_ENABLED */
++
+ if (resObj == NULL)
+ goto out_fragment;
+
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Wed, 26 Aug 2020 00:34:38 +0200
+Subject: [PATCH] Don't set maxDepth in XPath contexts
+
+The maximum recursion depth is hardcoded in libxml2 now.
+--- a/libxslt/functions.c
++++ b/libxslt/functions.c
+@@ -182,7 +182,7 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt, xmlChar* URI)
+ defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION)
+ xptrctxt->opLimit = ctxt->context->opLimit;
+ xptrctxt->opCount = ctxt->context->opCount;
+- xptrctxt->maxDepth = ctxt->context->maxDepth - ctxt->context->depth;
++ xptrctxt->depth = ctxt->context->depth;
+
+ resObj = xmlXPtrEval(fragment, xptrctxt);
+
+--- a/tests/fuzz/fuzz.c
++++ b/tests/fuzz/fuzz.c
+@@ -183,7 +183,6 @@ xsltFuzzXPathInit(int *argc_p ATTRIBUTE_UNUSED, char ***argv_p,
+ xpctxt = tctxt->xpathCtxt;
+
+ /* Resource limits to avoid timeouts and call stack overflows */
+- xpctxt->maxDepth = 500;
+ xpctxt->opLimit = 500000;
+
+ /* Test namespaces used in xpath.xml */
+@@ -314,12 +313,6 @@ xsltFuzzXsltInit(int *argc_p ATTRIBUTE_UNUSED, char ***argv_p,
+ return 0;
+ }
+
+-static void
+-xsltSetXPathResourceLimits(xmlXPathContextPtr ctxt) {
+- ctxt->maxDepth = 200;
+- ctxt->opLimit = 100000;
+-}
+-
+ xmlChar *
+ xsltFuzzXslt(const char *data, size_t size) {
+ xmlDocPtr xsltDoc;
+@@ -349,7 +342,7 @@ xsltFuzzXslt(const char *data, size_t size) {
+ xmlFreeDoc(xsltDoc);
+ return NULL;
+ }
+- xsltSetXPathResourceLimits(sheet->xpathCtxt);
++ sheet->xpathCtxt->opLimit = 100000;
+ sheet->xpathCtxt->opCount = 0;
+ if (xsltParseStylesheetUser(sheet, xsltDoc) != 0) {
+ xsltFreeStylesheet(sheet);
+@@ -361,7 +354,7 @@ xsltFuzzXslt(const char *data, size_t size) {
+ xsltSetCtxtSecurityPrefs(sec, ctxt);
+ ctxt->maxTemplateDepth = 100;
+ ctxt->opLimit = 20000;
+- xsltSetXPathResourceLimits(ctxt->xpathCtxt);
++ ctxt->xpathCtxt->opLimit = 100000;
+ ctxt->xpathCtxt->opCount = sheet->xpathCtxt->opCount;
+
+ result = xsltApplyStylesheetUser(sheet, doc, NULL, NULL, NULL, ctxt);
diff --git a/dev-libs/libxslt/libxslt-1.1.34-r2.ebuild b/dev-libs/libxslt/libxslt-1.1.34-r2.ebuild
new file mode 100644
index 00000000000..df1a9b5e042
--- /dev/null
+++ b/dev-libs/libxslt/libxslt-1.1.34-r2.ebuild
@@ -0,0 +1,72 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/danielveillard.asc
+inherit libtool multilib-minimal verify-sig
+
+# Note: Please bump this in sync with dev-libs/libxml2.
+DESCRIPTION="XSLT libraries and tools"
+HOMEPAGE="http://www.xmlsoft.org/ https://gitlab.gnome.org/GNOME/libxslt"
+SRC_URI="ftp://xmlsoft.org/${PN}/${P}.tar.gz"
+SRC_URI+=" verify-sig? ( ftp://xmlsoft.org/${PN}/${P}.tar.gz.asc )"
+
+LICENSE="MIT"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+IUSE="crypt debug examples static-libs elibc_Darwin"
+
+BDEPEND=">=virtual/pkgconfig-1
+ verify-sig? ( app-crypt/openpgp-keys-danielveillard )"
+RDEPEND="
+ >=dev-libs/libxml2-2.9.11:2[${MULTILIB_USEDEP}]
+ crypt? ( >=dev-libs/libgcrypt-1.5.3:0=[${MULTILIB_USEDEP}] )
+"
+DEPEND="${RDEPEND}"
+
+MULTILIB_CHOST_TOOLS=(
+ /usr/bin/xslt-config
+)
+
+MULTILIB_WRAPPED_HEADERS=(
+ /usr/include/libxslt/xsltconfig.h
+)
+
+PATCHES=(
+ "${FILESDIR}"/${P}-libxml2-2.9.12.patch
+ "${FILESDIR}"/${P}-CVE-2021-30560.patch
+)
+
+src_prepare() {
+ default
+
+ DOCS=( AUTHORS ChangeLog FEATURES NEWS README TODO )
+
+ # Prefix always needs elibtoolize if not eautoreconf'd.
+ elibtoolize
+}
+
+multilib_src_configure() {
+ # Python bindings were dropped as they were Python 2 only at the time
+ ECONF_SOURCE="${S}" econf \
+ --with-html-dir="${EPREFIX}"/usr/share/doc/${PF} \
+ --with-html-subdir=html \
+ --without-python \
+ $(use_with crypt crypto) \
+ $(use_with debug) \
+ $(use_with debug mem-debug) \
+ $(use_enable static-libs static) \
+ "$@"
+}
+
+multilib_src_install() {
+ # "default" does not work here - docs are installed by multilib_src_install_all
+ emake DESTDIR="${D}" install
+}
+
+multilib_src_install_all() {
+ einstalldocs
+
+ find "${ED}" -type f -name "*.la" -delete || die
+}
next reply other threads:[~2021-10-29 15:28 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-29 15:28 Sam James [this message]
-- strict thread matches above, loose matches on Subject: below --
2023-12-02 5:14 [gentoo-commits] repo/gentoo:master commit in: dev-libs/libxslt/, dev-libs/libxslt/files/ Sam James
2020-11-08 0:32 Michał Górny
2018-09-16 23:29 Mart Raudsepp
2018-04-21 12:34 Mart Raudsepp
2017-10-28 20:31 Andreas Hüttel
2017-09-05 6:58 Gilles Dartiguelongue
2017-03-29 0:02 Michael Weber
2016-12-22 10:32 Fabian Groffen
2015-11-11 21:35 Gilles Dartiguelongue
2015-09-25 7:11 Justin Lecher
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1635521304.76c0287bfb98ed25b63c9ad892fa6a1ee1c87dc0.sam@gentoo \
--to=sam@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox