~ruther/guix-local

0b34b58688ac0d9bc0e2700acf82269e67ccdfa3 — Leo Famulari 9 years ago d887f42 
gnu: libxslt: Fix CVE-2016-4738.

* gnu/packages/patches/libxslt-CVE-2016-4738.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/xml.scm (libxslt)[replacement]: New field.
(libxslt/fixed): New variable.
patch browse .tar.gz 
3 files changed, 49 insertions(+), 0 deletions(-)

M gnu/local.mk
A gnu/packages/patches/libxslt-CVE-2016-4738.patch
M gnu/packages/xml.scm

M gnu/local.mk => gnu/local.mk +1 -0
@@ 692,6 692,7 @@ dist_patch_DATA =						\
  %D%/packages/patches/libxv-CVE-2016-5407.patch		\
  %D%/packages/patches/libxvmc-CVE-2016-7953.patch		\
  %D%/packages/patches/libxslt-generated-ids.patch		\
  %D%/packages/patches/libxslt-CVE-2016-4738.patch		\
  %D%/packages/patches/lirc-localstatedir.patch			\
  %D%/packages/patches/llvm-for-extempore.patch			\
  %D%/packages/patches/lm-sensors-hwmon-attrs.patch		\


A gnu/packages/patches/libxslt-CVE-2016-4738.patch => gnu/packages/patches/libxslt-CVE-2016-4738.patch +39 -0
@@ 0,0 1,39 @@
Fix CVE-2016-4738:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4738
https://bugs.chromium.org/p/chromium/issues/detail?id=619006

Patch copied from upstream source repository:
https://git.gnome.org/browse/libxslt/commit/?id=eb1030de31165b68487f288308f9d1810fed6880

From eb1030de31165b68487f288308f9d1810fed6880 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Fri, 10 Jun 2016 14:23:58 +0200
Subject: [PATCH] Fix heap overread in xsltFormatNumberConversion

An empty decimal-separator could cause a heap overread. This can be
exploited to leak a couple of bytes after the buffer that holds the
pattern string.

Found with afl-fuzz and ASan.
---
 libxslt/numbers.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libxslt/numbers.c b/libxslt/numbers.c
index d1549b4..e78c46b 100644
--- a/libxslt/numbers.c
+++ b/libxslt/numbers.c
@@ -1090,7 +1090,8 @@ xsltFormatNumberConversion(xsltDecimalFormatPtr self,
     }
 
     /* We have finished the integer part, now work on fraction */
-    if (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) {
+    if ( (*the_format != 0) &&
+         (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) ) {
         format_info.add_decimal = TRUE;
 	the_format += xsltUTF8Size(the_format);	/* Skip over the decimal */
     }
-- 
2.10.2



M gnu/packages/xml.scm => gnu/packages/xml.scm +9 -0
@@ 147,6 147,7 @@ project (but it is usable outside of the Gnome platform).")
(define-public libxslt
  (package
    (name "libxslt")
    (replacement libxslt/fixed)
    (version "1.1.29")
    (source (origin
             (method url-fetch)


@@ 168,6 169,14 @@ project (but it is usable outside of the Gnome platform).")
based on libxml for XML parsing, tree manipulation and XPath support.")
    (license license:x11)))

(define libxslt/fixed
  (package
    (inherit libxslt)
    (name "libxslt")
    (source (origin
              (inherit (package-source libxslt))
              (patches (search-patches "libxslt-CVE-2016-4738.patch"))))))

(define-public perl-graph-readwrite
  (package
    (name "perl-graph-readwrite")