From e5b0e7ce64a69e31d55a077f1ba9d0a866bdf110 Mon Sep 17 00:00:00 2001 From: tez Date: Tue, 23 May 2017 23:37:01 +0000 Subject: Add patch for CVE-2017-5029 --- textproc/libxslt/Makefile | 4 +- textproc/libxslt/distinfo | 3 +- textproc/libxslt/patches/patch-CVE-2017-5029 | 58 ++++++++++++++++++++++++++++ 3 files changed, 62 insertions(+), 3 deletions(-) create mode 100644 textproc/libxslt/patches/patch-CVE-2017-5029 diff --git a/textproc/libxslt/Makefile b/textproc/libxslt/Makefile index 99eec126786..4154ca90822 100644 --- a/textproc/libxslt/Makefile +++ b/textproc/libxslt/Makefile @@ -1,6 +1,6 @@ -# $NetBSD: Makefile,v 1.104 2016/07/09 06:39:06 wiz Exp $ +# $NetBSD: Makefile,v 1.105 2017/05/23 23:37:01 tez Exp $ -PKGREVISION= 1 +PKGREVISION= 2 .include "Makefile.common" BUILD_DEPENDS+= docbook-xml-[0-9]*:../../textproc/docbook-xml diff --git a/textproc/libxslt/distinfo b/textproc/libxslt/distinfo index af5f013a7ba..dafc51a5626 100644 --- a/textproc/libxslt/distinfo +++ b/textproc/libxslt/distinfo @@ -1,8 +1,9 @@ -$NetBSD: distinfo,v 1.59 2017/05/16 13:51:50 dholland Exp $ +$NetBSD: distinfo,v 1.60 2017/05/23 23:37:01 tez Exp $ SHA1 (libxslt-1.1.29.tar.gz) = edcaeabb3555ae44853bdc406ee9521fb65c620d RMD160 (libxslt-1.1.29.tar.gz) = 40a5202b3967db6b01cd6c0e722a9e459cac7960 SHA512 (libxslt-1.1.29.tar.gz) = a1ce555a74a9dabe65e8f64bb66e27e77760fd76940d88f2d59f58dd63ca73c8ae59f3fcbd8e76c8f92ff992fb0c09328528c20ea38ccac83e63252106bf5f31 Size (libxslt-1.1.29.tar.gz) = 3428524 bytes +SHA1 (patch-CVE-2017-5029) = 98658fa048e440ef72460d4e082c0fd282154aa1 SHA1 (patch-ae) = 40ce3940a93b6a2dc804f62676909d3313e0ea52 SHA1 (patch-ah) = f92809ab34e53962ec8b62e50ded7a27c89f10f8 diff --git a/textproc/libxslt/patches/patch-CVE-2017-5029 b/textproc/libxslt/patches/patch-CVE-2017-5029 new file mode 100644 index 00000000000..1c6b07d0a7b --- /dev/null +++ b/textproc/libxslt/patches/patch-CVE-2017-5029 @@ -0,0 +1,58 @@ +$NetBSD: patch-CVE-2017-5029,v 1.1 2017/05/23 23:37:01 tez Exp $ + +Patch for CVE-2017-5029 from: + https://git.gnome.org/browse/libxslt/commit/?id=08ab2774b870de1c7b5a48693df75e8154addae5 + + +--- libxslt/xsltInternals.h.orig 2017-05-23 23:14:05.625798800 +0000 ++++ libxslt/xsltInternals.h +@@ -1754,8 +1754,8 @@ struct _xsltTransformContext { + * Speed optimization when coalescing text nodes + */ + const xmlChar *lasttext; /* last text node content */ +- unsigned int lasttsize; /* last text node size */ +- unsigned int lasttuse; /* last text node use */ ++ int lasttsize; /* last text node size */ ++ int lasttuse; /* last text node use */ + /* + * Per Context Debugging + */ + +--- libxslt/transform.c.orig 2017-05-23 23:14:23.480987400 +0000 ++++ libxslt/transform.c +@@ -816,13 +816,32 @@ xsltAddTextString(xsltTransformContextPt + return(target); + + if (ctxt->lasttext == target->content) { ++ int minSize; + +- if (ctxt->lasttuse + len >= ctxt->lasttsize) { ++ /* Check for integer overflow accounting for NUL terminator. */ ++ if (len >= INT_MAX - ctxt->lasttuse) { ++ xsltTransformError(ctxt, NULL, target, ++ "xsltCopyText: text allocation failed\n"); ++ return(NULL); ++ } ++ minSize = ctxt->lasttuse + len + 1; ++ ++ if (ctxt->lasttsize < minSize) { + xmlChar *newbuf; + int size; ++ int extra; ++ ++ /* Double buffer size but increase by at least 100 bytes. */ ++ extra = minSize < 100 ? 100 : minSize; ++ ++ /* Check for integer overflow. */ ++ if (extra > INT_MAX - ctxt->lasttsize) { ++ size = INT_MAX; ++ } ++ else { ++ size = ctxt->lasttsize + extra; ++ } + +- size = ctxt->lasttsize + len + 100; +- size *= 2; + newbuf = (xmlChar *) xmlRealloc(target->content,size); + if (newbuf == NULL) { + xsltTransformError(ctxt, NULL, target, -- cgit v1.2.3