Mercurial Mercurial > sustaining > oi_151a > sfw-gate / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
libxslt CVE-2011-3970 oi_151a
authorJon Tibble <meths@btinternet.com>
Tue, 03 Jul 2012 21:34:06 +0100
branchoi_151a
changeset 159 8763167bd725
parent 158 28e54743a266
child 160 72c572eb4adf
libxslt CVE-2011-3970
usr/src/lib/libxslt/Makefile.sfw file | annotate | diff | comparison | revisions
usr/src/lib/libxslt/cve-2011-1202.patch file | annotate | diff | comparison | revisions
usr/src/lib/libxslt/libtool.patch file | annotate | diff | comparison | revisions
usr/src/lib/libxslt/patches/CVE-2011-1202.patch file | annotate | diff | comparison | revisions
usr/src/lib/libxslt/patches/CVE-2011-3970.patch file | annotate | diff | comparison | revisions
usr/src/lib/libxslt/patches/libtool.patch file | annotate | diff | comparison | revisions 
--- a/usr/src/lib/libxslt/Makefile.sfw	Thu Jul 26 19:15:54 2012 +0100
+++ b/usr/src/lib/libxslt/Makefile.sfw	Tue Jul 03 21:34:06 2012 +0100
@@ -118,8 +118,9 @@
 	    ./configure --prefix=$(CFGPREFIX) \
 	    --with-libxml-include-prefix=$(ROOT)$(CFGPREFIX)/include/libxml2 \
 	    --with-python=/usr/bin/python2.4 --without-crypto)
-	patch -N $(VER)/libtool < libtool.patch
-	patch -N $(VER)/libxslt/functions.c < cve-2011-1202.patch
+	patch -N $(VER)/libtool < patches/libtool.patch
+	patch -N $(VER)/libxslt/functions.c < patches/CVE-2011-1202.patch
+	patch -N $(VER)/libxslt/pattern.c < patches/CVE-2011-3970.patch
 	cp -pr $(VER)/python $(VER)/python2.6
 	perl -pi -e 's/2\.4/2\.6/g' $(VER)/python2.6/Makefile
 	cp mapfile.xslt $(VER)/libxslt/libxslt.syms
@@ -133,8 +134,9 @@
 	    ./configure --prefix=$(CFGPREFIX) \
 	    --with-libxml-include-prefix=$(ROOT)$(CFGPREFIX)/include/libxml2 \
 	    --with-python=/usr/bin/$(MACH64)/python2.4 --without-crypto)
-	patch -N $(VER64)/libtool < libtool.patch
-	patch -N $(VER64)/libxslt/functions.c < cve-2011-1202.patch
+	patch -N $(VER64)/libtool < patches/libtool.patch
+	patch -N $(VER64)/libxslt/functions.c < patches/CVE-2011-1202.patch
+	patch -N $(VER64)/libxslt/pattern.c < patches/CVE-2011-3970.patch
 	cp -pr $(VER64)/python $(VER64)/python2.6
 	perl -pi -e 's/2\.4/2\.6/g' $(VER64)/python2.6/Makefile
 	cp mapfile.xslt $(VER64)/libxslt/libxslt.syms
--- a/usr/src/lib/libxslt/cve-2011-1202.patch	Thu Jul 26 19:15:54 2012 +0100
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,56 +0,0 @@
-From ecb6bcb8d1b7e44842edde3929f412d46b40c89f Mon Sep 17 00:00:00 2001
-From: Daniel Veillard <[email protected]>
-Date: Tue, 22 Feb 2011 02:14:23 +0000
-Subject: Fix generate-id() to not expose object addresses
-
-As pointed out by Chris Evans <[email protected]> it's better
-security wise to not expose object addresses directly, use a diff
-w.r.t. the document root own address to avoid this
-* libxslt/functions.c: fix IDs generation code
----
-diff --git a/libxslt/functions.c b/libxslt/functions.c
-index 4720c7a..de962f4 100644
---- a/libxslt/functions.c
-+++ b/libxslt/functions.c
-@@ -654,8 +654,9 @@ xsltFormatNumberFunction(xmlXPathParserContextPtr ctxt, int nargs)
- void
- xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
-     xmlNodePtr cur = NULL;
--    unsigned long val;
--    xmlChar str[20];
-+    long val;
-+    xmlChar str[30];
-+    xmlDocPtr doc;
- 
-     if (nargs == 0) {
- 	cur = ctxt->context->node;
-@@ -694,9 +695,24 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
-      * Okay this is ugly but should work, use the NodePtr address
-      * to forge the ID
-      */
--    val = (unsigned long)((char *)cur - (char *)0);
--    val /= sizeof(xmlNode);
--    sprintf((char *)str, "id%ld", val);
-+    if (cur->type != XML_NAMESPACE_DECL)
-+        doc = cur->doc;
-+    else {
-+        xmlNsPtr ns = (xmlNsPtr) cur;
-+
-+        if (ns->context != NULL)
-+            doc = ns->context;
-+        else
-+            doc = ctxt->context->doc;
-+
-+    }
-+
-+    val = (long)((char *)cur - (char *)doc);
-+    if (val >= 0) {
-+      sprintf((char *)str, "idp%ld", val);
-+    } else {
-+      sprintf((char *)str, "idm%ld", -val);
-+    }
-     valuePush(ctxt, xmlXPathNewString(str));
- }
- 
---
-cgit v0.9.0.2
--- a/usr/src/lib/libxslt/libtool.patch	Thu Jul 26 19:15:54 2012 +0100
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,11 +0,0 @@
---- libxml2-2.7.4/libtool.orig	Sun Sep 13 17:47:18 2009
-+++ libxml2-2.7.4/libtool	Sun Sep 13 17:47:34 2009
-@@ -237,7 +237,7 @@
- finish_eval=""
- 
- # Whether we should hardcode library paths into libraries.
--hardcode_into_libs=yes
-+hardcode_into_libs=no
- 
- # Compile-time system search path for libraries.
- sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/usr/src/lib/libxslt/patches/CVE-2011-1202.patch	Tue Jul 03 21:34:06 2012 +0100
@@ -0,0 +1,56 @@
+From ecb6bcb8d1b7e44842edde3929f412d46b40c89f Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <[email protected]>
+Date: Tue, 22 Feb 2011 02:14:23 +0000
+Subject: Fix generate-id() to not expose object addresses
+
+As pointed out by Chris Evans <[email protected]> it's better
+security wise to not expose object addresses directly, use a diff
+w.r.t. the document root own address to avoid this
+* libxslt/functions.c: fix IDs generation code
+---
+diff --git a/libxslt/functions.c b/libxslt/functions.c
+index 4720c7a..de962f4 100644
+--- a/libxslt/functions.c
++++ b/libxslt/functions.c
+@@ -654,8 +654,9 @@ xsltFormatNumberFunction(xmlXPathParserContextPtr ctxt, int nargs)
+ void
+ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
+     xmlNodePtr cur = NULL;
+-    unsigned long val;
+-    xmlChar str[20];
++    long val;
++    xmlChar str[30];
++    xmlDocPtr doc;
+ 
+     if (nargs == 0) {
+ 	cur = ctxt->context->node;
+@@ -694,9 +695,24 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
+      * Okay this is ugly but should work, use the NodePtr address
+      * to forge the ID
+      */
+-    val = (unsigned long)((char *)cur - (char *)0);
+-    val /= sizeof(xmlNode);
+-    sprintf((char *)str, "id%ld", val);
++    if (cur->type != XML_NAMESPACE_DECL)
++        doc = cur->doc;
++    else {
++        xmlNsPtr ns = (xmlNsPtr) cur;
++
++        if (ns->context != NULL)
++            doc = ns->context;
++        else
++            doc = ctxt->context->doc;
++
++    }
++
++    val = (long)((char *)cur - (char *)doc);
++    if (val >= 0) {
++      sprintf((char *)str, "idp%ld", val);
++    } else {
++      sprintf((char *)str, "idm%ld", -val);
++    }
+     valuePush(ctxt, xmlXPathNewString(str));
+ }
+ 
+--
+cgit v0.9.0.2
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/usr/src/lib/libxslt/patches/CVE-2011-3970.patch	Tue Jul 03 21:34:06 2012 +0100
@@ -0,0 +1,11 @@
+--- libxslt-1.1.26/libxslt/pattern.c.orig	2012-07-03 10:07:47.903679049 -0700
++++ libxslt-1.1.26/libxslt/pattern.c	2012-07-03 10:08:43.621787188 -0700
+@@ -1864,6 +1864,8 @@
+ 		while ((pattern[end] != 0) && (pattern[end] != '"'))
+ 		    end++;
+ 	    }
++	    if (pattern[end] == 0)
++		break;
+ 	    end++;
+ 	}
+ 	if (current == end) {
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/usr/src/lib/libxslt/patches/libtool.patch	Tue Jul 03 21:34:06 2012 +0100
@@ -0,0 +1,11 @@
+--- libxml2-2.7.4/libtool.orig	Sun Sep 13 17:47:18 2009
++++ libxml2-2.7.4/libtool	Sun Sep 13 17:47:34 2009
+@@ -237,7 +237,7 @@
+ finish_eval=""
+ 
+ # Whether we should hardcode library paths into libraries.
+-hardcode_into_libs=yes
++hardcode_into_libs=no
+ 
+ # Compile-time system search path for libraries.
+ sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
sustaining/oi_151a/sfw-gate