diff options
Diffstat (limited to 'dev-libs/libxslt')
-rw-r--r-- | dev-libs/libxslt/Manifest | 3 | ||||
-rw-r--r-- | dev-libs/libxslt/files/libxslt-1.1.34-CVE-2021-30560.patch | 194 | ||||
-rw-r--r-- | dev-libs/libxslt/files/libxslt-1.1.34-libxml2-2.9.12.patch | 120 | ||||
-rw-r--r-- | dev-libs/libxslt/libxslt-1.1.34-r2.ebuild | 72 |
4 files changed, 389 insertions, 0 deletions
diff --git a/dev-libs/libxslt/Manifest b/dev-libs/libxslt/Manifest index d43419e2d7ae..d7e37aba1157 100644 --- a/dev-libs/libxslt/Manifest +++ b/dev-libs/libxslt/Manifest @@ -1,4 +1,7 @@ +AUX libxslt-1.1.34-CVE-2021-30560.patch 6053 BLAKE2B cbeae5b4f87a6a5872a015848b19605ab8798b0f6ed6b8367a3cee4de16ccf698b01fd4201114a4d1cd3fdd5e075c7b92def4bcec8526e3e87561a10f4ba1525 SHA512 8c0316a21d048723e3d32ceb9fdaba4739b52f974b1e0bba5afa8fcf406bca8d1377fcd6b49c91a539e67b0b8b03ff3673762302330dfeff26f77be2e6502ecc +AUX libxslt-1.1.34-libxml2-2.9.12.patch 4178 BLAKE2B 00dc945c2a4d50bb4a428c1ae5fe16128565d6bf8174b245c035c65281c3b1e9c798b61054b538341a2ea099fa4287be99e53c2efae67b8b43649946d6b0b643 SHA512 f688a68e7f9b005a2073722c0857dc4de786a9fb18d50065d9b5cda9bb5cc4597f3f34b4ba5448739b993dab46fb49ee22d3cd15c7c7434bb56d04dc06896e0b DIST libxslt-1.1.34.tar.gz 3552258 BLAKE2B f043a0357e0705ab68041adf4031a6b3e0b5c3d396691c988a34963a0ee0ebe3bede2d1d7a0c5f0c42c046183653c94f4b51e10e35980a039c8cad446e84ad86 SHA512 1516a11ad608b04740674060d2c5d733b88889de5e413b9a4e8bf8d1a90d712149df6d2b1345b615f529d7c7d3fa6dae12e544da828b39c7d415e54c0ee0776b DIST libxslt-1.1.34.tar.gz.asc 488 BLAKE2B fff407ab2c2bbafa804e5a1f84ca447c706d75fd7489c99ac6040b625d0417a0e6c189be3457e6cc6ecd6b7860829875ea95a132fef24f8a532156361f8a5308 SHA512 9b155d4571daede99cdbf2813a85fb04812737b5e23d3f7c9840225b38f3dbf171623a21645daaee190e7ff9ba38bde932922e96a2a2312c203ffa9917c3baea EBUILD libxslt-1.1.34-r1.ebuild 1896 BLAKE2B afaf24eff826feaaf6f2ce237c6576a9046665ffe7aca21de53ff39be1df5ad646997cc02e09ca97209f5be4b2649afa992fea78b4471d3f9408e702638e80d4 SHA512 c28937d9ca1b393d9ef56cc09025fb51390466c5c4eafedac6131917054b6846d981ea7d9ea0d0d66b5fce3edb8f633afebce2c98203adef4544dafafbe4ce3d +EBUILD libxslt-1.1.34-r2.ebuild 1993 BLAKE2B 4688bd781750deed5dd5751df48d7309dc979abb8176a1130946694102af37722a0e1d7b61bc8a3f28f04046b131047650715c4f52185e07c38e1cbd43f23c52 SHA512 0c4cd4da6ad25a09be20a02a5f4dfba32e3b3d2b9ab9c654129961945d743c8acd3d35bb457267f966eb89c81585388718af1245638088f7398959bb7c5fa962 MISC metadata.xml 458 BLAKE2B 75fd3316bf24367ed9748bf7fefd6ebc36811d1cef9606b9fd68155ef7412d192ebc3cc883a79f15210decb7ef7707ff82155ec2f04974c2dca84496660519a8 SHA512 9baf1253900f23539a78ef57cc03cca552eadeb92721517e2f3f54c3df72be8d364b30449ad433793c38a2c1872273231f0b3fe865b2ace2e605a1ae290c4f6b diff --git a/dev-libs/libxslt/files/libxslt-1.1.34-CVE-2021-30560.patch b/dev-libs/libxslt/files/libxslt-1.1.34-CVE-2021-30560.patch new file mode 100644 index 000000000000..dcda176c513a --- /dev/null +++ b/dev-libs/libxslt/files/libxslt-1.1.34-CVE-2021-30560.patch @@ -0,0 +1,194 @@ +https://gitlab.gnome.org/GNOME/libxslt/-/issues/56 +https://gitlab.gnome.org/GNOME/libxslt/-/commit/50f9c9cd3b7dfe9b3c8c795247752d1fdcadcac8 +https://gitlab.gnome.org/GNOME/libxslt/-/issues/51 +https://bugs.gentoo.org/790218 + +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Sat, 12 Jun 2021 20:02:53 +0200 +Subject: [PATCH] Fix use-after-free in xsltApplyTemplates + +xsltApplyTemplates without a select expression could delete nodes in +the source document. + +1. Text nodes with strippable whitespace + +Whitespace from input documents is already stripped, so there's no +need to strip it again. Under certain circumstances, xsltApplyTemplates +could be fooled into deleting text nodes that are still referenced, +resulting in a use-after-free. + +2. The DTD + +The DTD was only unlinked, but there's no good reason to do this just +now. Maybe it was meant as a micro-optimization. + +3. Unknown nodes + +Useless and dangerous as well, especially with XInclude nodes. +See https://gitlab.gnome.org/GNOME/libxml2/-/issues/268 + +Simply stop trying to uselessly delete nodes when applying a template. +This part of the code is probably a leftover from a time where +xsltApplyStripSpaces wasn't implemented yet. Also note that +xsltApplyTemplates with a select expression never tried to delete +nodes. + +Also stop xsltDefaultProcessOneNode from deleting nodes for the same +reasons. + +This fixes CVE-2021-30560. +--- a/libxslt/transform.c ++++ b/libxslt/transform.c +@@ -1895,7 +1895,7 @@ static void + xsltDefaultProcessOneNode(xsltTransformContextPtr ctxt, xmlNodePtr node, + xsltStackElemPtr params) { + xmlNodePtr copy; +- xmlNodePtr delete = NULL, cur; ++ xmlNodePtr cur; + int nbchild = 0, oldSize; + int childno = 0, oldPos; + xsltTemplatePtr template; +@@ -1968,54 +1968,13 @@ xsltDefaultProcessOneNode(xsltTransformContextPtr ctxt, xmlNodePtr node, + return; + } + /* +- * Handling of Elements: first pass, cleanup and counting ++ * Handling of Elements: first pass, counting + */ + cur = node->children; + while (cur != NULL) { +- switch (cur->type) { +- case XML_TEXT_NODE: +- case XML_CDATA_SECTION_NODE: +- case XML_DOCUMENT_NODE: +- case XML_HTML_DOCUMENT_NODE: +- case XML_ELEMENT_NODE: +- case XML_PI_NODE: +- case XML_COMMENT_NODE: +- nbchild++; +- break; +- case XML_DTD_NODE: +- /* Unlink the DTD, it's still reachable using doc->intSubset */ +- if (cur->next != NULL) +- cur->next->prev = cur->prev; +- if (cur->prev != NULL) +- cur->prev->next = cur->next; +- break; +- default: +-#ifdef WITH_XSLT_DEBUG_PROCESS +- XSLT_TRACE(ctxt,XSLT_TRACE_PROCESS_NODE,xsltGenericDebug(xsltGenericDebugContext, +- "xsltDefaultProcessOneNode: skipping node type %d\n", +- cur->type)); +-#endif +- delete = cur; +- } ++ if (IS_XSLT_REAL_NODE(cur)) ++ nbchild++; + cur = cur->next; +- if (delete != NULL) { +-#ifdef WITH_XSLT_DEBUG_PROCESS +- XSLT_TRACE(ctxt,XSLT_TRACE_PROCESS_NODE,xsltGenericDebug(xsltGenericDebugContext, +- "xsltDefaultProcessOneNode: removing ignorable blank node\n")); +-#endif +- xmlUnlinkNode(delete); +- xmlFreeNode(delete); +- delete = NULL; +- } +- } +- if (delete != NULL) { +-#ifdef WITH_XSLT_DEBUG_PROCESS +- XSLT_TRACE(ctxt,XSLT_TRACE_PROCESS_NODE,xsltGenericDebug(xsltGenericDebugContext, +- "xsltDefaultProcessOneNode: removing ignorable blank node\n")); +-#endif +- xmlUnlinkNode(delete); +- xmlFreeNode(delete); +- delete = NULL; + } + + /* +@@ -4864,7 +4823,7 @@ xsltApplyTemplates(xsltTransformContextPtr ctxt, xmlNodePtr node, + xsltStylePreCompPtr comp = (xsltStylePreCompPtr) castedComp; + #endif + int i; +- xmlNodePtr cur, delNode = NULL, oldContextNode; ++ xmlNodePtr cur, oldContextNode; + xmlNodeSetPtr list = NULL, oldList; + xsltStackElemPtr withParams = NULL; + int oldXPProximityPosition, oldXPContextSize; +@@ -4998,73 +4957,9 @@ xsltApplyTemplates(xsltTransformContextPtr ctxt, xmlNodePtr node, + else + cur = NULL; + while (cur != NULL) { +- switch (cur->type) { +- case XML_TEXT_NODE: +- if ((IS_BLANK_NODE(cur)) && +- (cur->parent != NULL) && +- (cur->parent->type == XML_ELEMENT_NODE) && +- (ctxt->style->stripSpaces != NULL)) { +- const xmlChar *val; +- +- if (cur->parent->ns != NULL) { +- val = (const xmlChar *) +- xmlHashLookup2(ctxt->style->stripSpaces, +- cur->parent->name, +- cur->parent->ns->href); +- if (val == NULL) { +- val = (const xmlChar *) +- xmlHashLookup2(ctxt->style->stripSpaces, +- BAD_CAST "*", +- cur->parent->ns->href); +- } +- } else { +- val = (const xmlChar *) +- xmlHashLookup2(ctxt->style->stripSpaces, +- cur->parent->name, NULL); +- } +- if ((val != NULL) && +- (xmlStrEqual(val, (xmlChar *) "strip"))) { +- delNode = cur; +- break; +- } +- } +- /* Intentional fall-through */ +- case XML_ELEMENT_NODE: +- case XML_DOCUMENT_NODE: +- case XML_HTML_DOCUMENT_NODE: +- case XML_CDATA_SECTION_NODE: +- case XML_PI_NODE: +- case XML_COMMENT_NODE: +- xmlXPathNodeSetAddUnique(list, cur); +- break; +- case XML_DTD_NODE: +- /* Unlink the DTD, it's still reachable +- * using doc->intSubset */ +- if (cur->next != NULL) +- cur->next->prev = cur->prev; +- if (cur->prev != NULL) +- cur->prev->next = cur->next; +- break; +- case XML_NAMESPACE_DECL: +- break; +- default: +-#ifdef WITH_XSLT_DEBUG_PROCESS +- XSLT_TRACE(ctxt,XSLT_TRACE_APPLY_TEMPLATES,xsltGenericDebug(xsltGenericDebugContext, +- "xsltApplyTemplates: skipping cur type %d\n", +- cur->type)); +-#endif +- delNode = cur; +- } ++ if (IS_XSLT_REAL_NODE(cur)) ++ xmlXPathNodeSetAddUnique(list, cur); + cur = cur->next; +- if (delNode != NULL) { +-#ifdef WITH_XSLT_DEBUG_PROCESS +- XSLT_TRACE(ctxt,XSLT_TRACE_APPLY_TEMPLATES,xsltGenericDebug(xsltGenericDebugContext, +- "xsltApplyTemplates: removing ignorable blank cur\n")); +-#endif +- xmlUnlinkNode(delNode); +- xmlFreeNode(delNode); +- delNode = NULL; +- } + } + } + +GitLab diff --git a/dev-libs/libxslt/files/libxslt-1.1.34-libxml2-2.9.12.patch b/dev-libs/libxslt/files/libxslt-1.1.34-libxml2-2.9.12.patch new file mode 100644 index 000000000000..635fb576d3de --- /dev/null +++ b/dev-libs/libxslt/files/libxslt-1.1.34-libxml2-2.9.12.patch @@ -0,0 +1,120 @@ +https://gitlab.gnome.org/GNOME/libxslt/-/commit/9ae2f94df1721e002941b40665efb762aefcea1a +https://gitlab.gnome.org/GNOME/libxslt/-/commit/824657768aea2cce9c23e72ba8085cb5e44350c7 +https://gitlab.gnome.org/GNOME/libxslt/-/commit/77c26bad0433541f486b1e7ced44ca9979376908 + +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Mon, 17 Aug 2020 03:42:11 +0200 +Subject: [PATCH] Stop using maxParserDepth XPath limit + +This will be removed again from libxml2. +--- a/tests/fuzz/fuzz.c ++++ b/tests/fuzz/fuzz.c +@@ -183,8 +183,7 @@ xsltFuzzXPathInit(int *argc_p ATTRIBUTE_UNUSED, char ***argv_p, + xpctxt = tctxt->xpathCtxt; + + /* Resource limits to avoid timeouts and call stack overflows */ +- xpctxt->maxParserDepth = 15; +- xpctxt->maxDepth = 100; ++ xpctxt->maxDepth = 500; + xpctxt->opLimit = 500000; + + /* Test namespaces used in xpath.xml */ +@@ -317,8 +316,7 @@ xsltFuzzXsltInit(int *argc_p ATTRIBUTE_UNUSED, char ***argv_p, + + static void + xsltSetXPathResourceLimits(xmlXPathContextPtr ctxt) { +- ctxt->maxParserDepth = 15; +- ctxt->maxDepth = 100; ++ ctxt->maxDepth = 200; + ctxt->opLimit = 100000; + } + +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Mon, 17 Aug 2020 04:27:13 +0200 +Subject: [PATCH] Transfer XPath limits to XPtr context + +Expressions like document('doc.xml#xpointer(evil_expr)') ignored the +XPath limits. +--- a/libxslt/functions.c ++++ b/libxslt/functions.c +@@ -178,10 +178,22 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt, xmlChar* URI) + goto out_fragment; + } + ++#if LIBXML_VERSION >= 20911 || \ ++ defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION) ++ xptrctxt->opLimit = ctxt->context->opLimit; ++ xptrctxt->opCount = ctxt->context->opCount; ++ xptrctxt->maxDepth = ctxt->context->maxDepth - ctxt->context->depth; ++ ++ resObj = xmlXPtrEval(fragment, xptrctxt); ++ ++ ctxt->context->opCount = xptrctxt->opCount; ++#else + resObj = xmlXPtrEval(fragment, xptrctxt); +- xmlXPathFreeContext(xptrctxt); + #endif + ++ xmlXPathFreeContext(xptrctxt); ++#endif /* LIBXML_XPTR_ENABLED */ ++ + if (resObj == NULL) + goto out_fragment; + +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Wed, 26 Aug 2020 00:34:38 +0200 +Subject: [PATCH] Don't set maxDepth in XPath contexts + +The maximum recursion depth is hardcoded in libxml2 now. +--- a/libxslt/functions.c ++++ b/libxslt/functions.c +@@ -182,7 +182,7 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt, xmlChar* URI) + defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION) + xptrctxt->opLimit = ctxt->context->opLimit; + xptrctxt->opCount = ctxt->context->opCount; +- xptrctxt->maxDepth = ctxt->context->maxDepth - ctxt->context->depth; ++ xptrctxt->depth = ctxt->context->depth; + + resObj = xmlXPtrEval(fragment, xptrctxt); + +--- a/tests/fuzz/fuzz.c ++++ b/tests/fuzz/fuzz.c +@@ -183,7 +183,6 @@ xsltFuzzXPathInit(int *argc_p ATTRIBUTE_UNUSED, char ***argv_p, + xpctxt = tctxt->xpathCtxt; + + /* Resource limits to avoid timeouts and call stack overflows */ +- xpctxt->maxDepth = 500; + xpctxt->opLimit = 500000; + + /* Test namespaces used in xpath.xml */ +@@ -314,12 +313,6 @@ xsltFuzzXsltInit(int *argc_p ATTRIBUTE_UNUSED, char ***argv_p, + return 0; + } + +-static void +-xsltSetXPathResourceLimits(xmlXPathContextPtr ctxt) { +- ctxt->maxDepth = 200; +- ctxt->opLimit = 100000; +-} +- + xmlChar * + xsltFuzzXslt(const char *data, size_t size) { + xmlDocPtr xsltDoc; +@@ -349,7 +342,7 @@ xsltFuzzXslt(const char *data, size_t size) { + xmlFreeDoc(xsltDoc); + return NULL; + } +- xsltSetXPathResourceLimits(sheet->xpathCtxt); ++ sheet->xpathCtxt->opLimit = 100000; + sheet->xpathCtxt->opCount = 0; + if (xsltParseStylesheetUser(sheet, xsltDoc) != 0) { + xsltFreeStylesheet(sheet); +@@ -361,7 +354,7 @@ xsltFuzzXslt(const char *data, size_t size) { + xsltSetCtxtSecurityPrefs(sec, ctxt); + ctxt->maxTemplateDepth = 100; + ctxt->opLimit = 20000; +- xsltSetXPathResourceLimits(ctxt->xpathCtxt); ++ ctxt->xpathCtxt->opLimit = 100000; + ctxt->xpathCtxt->opCount = sheet->xpathCtxt->opCount; + + result = xsltApplyStylesheetUser(sheet, doc, NULL, NULL, NULL, ctxt); diff --git a/dev-libs/libxslt/libxslt-1.1.34-r2.ebuild b/dev-libs/libxslt/libxslt-1.1.34-r2.ebuild new file mode 100644 index 000000000000..8d2b03569657 --- /dev/null +++ b/dev-libs/libxslt/libxslt-1.1.34-r2.ebuild @@ -0,0 +1,72 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/danielveillard.asc +inherit libtool multilib-minimal verify-sig + +# Note: Please bump this in sync with dev-libs/libxml2. +DESCRIPTION="XSLT libraries and tools" +HOMEPAGE="http://www.xmlsoft.org/ https://gitlab.gnome.org/GNOME/libxslt" +SRC_URI="ftp://xmlsoft.org/${PN}/${P}.tar.gz" +SRC_URI+=" verify-sig? ( ftp://xmlsoft.org/${PN}/${P}.tar.gz.asc )" + +LICENSE="MIT" +SLOT="0" +KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +IUSE="crypt debug examples static-libs elibc_Darwin" + +BDEPEND=">=virtual/pkgconfig-1 + verify-sig? ( app-crypt/openpgp-keys-danielveillard )" +RDEPEND=" + >=dev-libs/libxml2-2.9.11:2[${MULTILIB_USEDEP}] + crypt? ( >=dev-libs/libgcrypt-1.5.3:0=[${MULTILIB_USEDEP}] ) +" +DEPEND="${RDEPEND}" + +MULTILIB_CHOST_TOOLS=( + /usr/bin/xslt-config +) + +MULTILIB_WRAPPED_HEADERS=( + /usr/include/libxslt/xsltconfig.h +) + +PATCHES=( + "${FILESDIR}"/${P}-libxml2-2.9.12.patch + "${FILESDIR}"/${P}-CVE-2021-30560.patch +) + +src_prepare() { + default + + DOCS=( AUTHORS ChangeLog FEATURES NEWS README TODO ) + + # Prefix always needs elibtoolize if not eautoreconf'd. + elibtoolize +} + +multilib_src_configure() { + # Python bindings were dropped as they were Python 2 only at the time + ECONF_SOURCE="${S}" econf \ + --with-html-dir="${EPREFIX}"/usr/share/doc/${PF} \ + --with-html-subdir=html \ + --without-python \ + $(use_with crypt crypto) \ + $(use_with debug) \ + $(use_with debug mem-debug) \ + $(use_enable static-libs static) \ + "$@" +} + +multilib_src_install() { + # "default" does not work here - docs are installed by multilib_src_install_all + emake DESTDIR="${D}" install +} + +multilib_src_install_all() { + einstalldocs + + find "${ED}" -type f -name "*.la" -delete || die +} |