Hi
Slightly refreshed patches taken from upstream git commits attached.
But the resulting package is not yet tested (passed the testsuite).
Regards,
Salvatore
diff -Nru libxslt-1.1.26/debian/changelog libxslt-1.1.26/debian/changelog
--- libxslt-1.1.26/debian/changelog 2012-10-02 17:55:02.000000000 +0200
+++ libxslt-1.1.26/debian/changelog 2013-03-25 23:49:09.000000000 +0100
@@ -1,3 +1,11 @@
+libxslt (1.1.26-14.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Add patches to fix denial of service vulnerability (CVE-2012-6139)
+ (Closes: #703933)
+
+ -- Salvatore Bonaccorso <car...@debian.org> Mon, 25 Mar 2013 23:48:39 +0100
+
libxslt (1.1.26-14) unstable; urgency=low
* Patch to fix three CVEs (Closes: #689422):
diff -Nru
libxslt-1.1.26/debian/patches/0009-Fix-crash-with-empty-xsl-key-match-attribute.patch
libxslt-1.1.26/debian/patches/0009-Fix-crash-with-empty-xsl-key-match-attribute.patch
---
libxslt-1.1.26/debian/patches/0009-Fix-crash-with-empty-xsl-key-match-attribute.patch
1970-01-01 01:00:00.000000000 +0100
+++
libxslt-1.1.26/debian/patches/0009-Fix-crash-with-empty-xsl-key-match-attribute.patch
2013-03-25 23:49:09.000000000 +0100
@@ -0,0 +1,64 @@
+From dc11b6b379a882418093ecc8adf11f6166682e8d Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnho...@aevum.de>
+Date: Sun, 21 Oct 2012 19:02:25 +0200
+Subject: [PATCH] Fix crash with empty xsl:key/@match attribute
+
+See https://bugzilla.gnome.org/show_bug.cgi?id=685328
+
+Also improve some xsl:key error messages.
+---
+ libxslt/keys.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+--- a/libxslt/keys.c
++++ b/libxslt/keys.c
+@@ -311,8 +311,8 @@
+ end = skipPredicate(match, end);
+ if (end <= 0) {
+ xsltTransformError(NULL, style, inst,
+- "key pattern is malformed: %s",
+- key->match);
++ "xsl:key : 'match' pattern is malformed: %s",
++ key->match);
+ if (style != NULL) style->errors++;
+ goto error;
+ }
+@@ -321,7 +321,7 @@
+ }
+ if (current == end) {
+ xsltTransformError(NULL, style, inst,
+- "key pattern is empty\n");
++ "xsl:key : 'match' pattern is empty\n");
+ if (style != NULL) style->errors++;
+ goto error;
+ }
+@@ -344,6 +344,12 @@
+ }
+ current = end;
+ }
++ if (pattern == NULL) {
++ xsltTransformError(NULL, style, inst,
++ "xsl:key : 'match' pattern is empty\n");
++ if (style != NULL) style->errors++;
++ goto error;
++ }
+ #ifdef WITH_XSLT_DEBUG_KEYS
+ xsltGenericDebug(xsltGenericDebugContext,
+ " resulting pattern %s\n", pattern);
+@@ -359,14 +365,14 @@
+ key->comp = xsltXPathCompile(style, pattern);
+ if (key->comp == NULL) {
+ xsltTransformError(NULL, style, inst,
+- "xsl:key : XPath pattern compilation failed '%s'\n",
++ "xsl:key : 'match' pattern compilation failed '%s'\n",
+ pattern);
+ if (style != NULL) style->errors++;
+ }
+ key->usecomp = xsltXPathCompile(style, use);
+ if (key->usecomp == NULL) {
+ xsltTransformError(NULL, style, inst,
+- "xsl:key : XPath pattern compilation failed '%s'\n",
++ "xsl:key : 'use' expression compilation failed '%s'\n",
+ use);
+ if (style != NULL) style->errors++;
+ }
diff -Nru
libxslt-1.1.26/debian/patches/0010-Crash-when-passing-an-uninitialized-variable-to-docu.patch
libxslt-1.1.26/debian/patches/0010-Crash-when-passing-an-uninitialized-variable-to-docu.patch
---
libxslt-1.1.26/debian/patches/0010-Crash-when-passing-an-uninitialized-variable-to-docu.patch
1970-01-01 01:00:00.000000000 +0100
+++
libxslt-1.1.26/debian/patches/0010-Crash-when-passing-an-uninitialized-variable-to-docu.patch
2013-03-25 23:49:09.000000000 +0100
@@ -0,0 +1,85 @@
+From 6c99c519d97e5fcbec7a9537d190efb442e4e833 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnho...@aevum.de>
+Date: Wed, 10 Oct 2012 12:09:36 +0200
+Subject: [PATCH] Crash when passing an uninitialized variable to document()
+
+https://bugzilla.gnome.org/show_bug.cgi?id=685330
+
+Missing check for NULL
+---
+ libxslt/functions.c | 5 +++--
+ tests/docs/Makefile.am | 1 +
+ tests/docs/bug-180.xml | 2 ++
+ tests/general/Makefile.am | 1 +
+ tests/general/bug-180.err | 4 ++++
+ tests/general/bug-180.xsl | 8 ++++++++
+ 6 files changed, 19 insertions(+), 2 deletions(-)
+ create mode 100644 tests/docs/bug-180.xml
+ create mode 100644 tests/general/bug-180.err
+ create mode 100644 tests/general/bug-180.out
+ create mode 100644 tests/general/bug-180.xsl
+
+--- a/libxslt/functions.c
++++ b/libxslt/functions.c
+@@ -260,7 +260,7 @@
+ obj = valuePop(ctxt);
+ ret = xmlXPathNewNodeSet(NULL);
+
+- if (obj->nodesetval) {
++ if ((obj != NULL) && obj->nodesetval) {
+ for (i = 0; i < obj->nodesetval->nodeNr; i++) {
+ valuePush(ctxt,
+ xmlXPathNewNodeSet(obj->nodesetval->nodeTab[i]));
+@@ -280,7 +280,8 @@
+ }
+ }
+
+- xmlXPathFreeObject(obj);
++ if (obj != NULL)
++ xmlXPathFreeObject(obj);
+ if (obj2 != NULL)
+ xmlXPathFreeObject(obj2);
+ valuePush(ctxt, ret);
+--- /dev/null
++++ b/tests/docs/bug-180.xml
+@@ -0,0 +1,2 @@
++<doc/>
++
+--- /dev/null
++++ b/tests/general/bug-180.err
+@@ -0,0 +1,4 @@
++runtime error: file ./bug-180.xsl line 4 element copy-of
++Variable 'xxx' has not been declared.
++XPath error : Stack usage errror
++xmlXPathCompiledEval: 1 objects left on the stack.
+--- /dev/null
++++ b/tests/general/bug-180.xsl
+@@ -0,0 +1,8 @@
++<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform";
version="1.0">
++
++ <xsl:template match="/">
++ <xsl:copy-of select=" * | document($xxx) "/>
++ </xsl:template>
++
++</xsl:stylesheet>
++
+--- a/tests/docs/Makefile.am
++++ b/tests/docs/Makefile.am
+@@ -168,6 +168,7 @@
+ bug-167.xml \
+ bug-168.xml \
+ bug-169.xml \
++ bug-180.xml \
+ character.xml \
+ array.xml \
+ items.xml
+--- a/tests/general/Makefile.am
++++ b/tests/general/Makefile.am
+@@ -177,6 +177,7 @@
+ bug-167.out bug-167.xsl \
+ bug-168.out bug-168.xsl \
+ bug-169.out bug-169.xsl bug-169.imp \
++ bug-180.out bug-180.xsl bug-180.err \
+ character.out character.xsl \
+ character2.out character2.xsl \
+ itemschoose.out itemschoose.xsl \
diff -Nru libxslt-1.1.26/debian/patches/series
libxslt-1.1.26/debian/patches/series
--- libxslt-1.1.26/debian/patches/series 2012-10-02 17:53:16.000000000
+0200
+++ libxslt-1.1.26/debian/patches/series 2013-03-25 23:49:09.000000000
+0100
@@ -6,3 +6,5 @@
0006-cve-2012-2870.patch
0007-Fix-default-template-processing-on-namespace-nodes.patch
0008-Fix-a-dictionary-string-usage.patch
+0009-Fix-crash-with-empty-xsl-key-match-attribute.patch
+0010-Crash-when-passing-an-uninitialized-variable-to-docu.patch
>From dc11b6b379a882418093ecc8adf11f6166682e8d Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnho...@aevum.de>
Date: Sun, 21 Oct 2012 19:02:25 +0200
Subject: [PATCH] Fix crash with empty xsl:key/@match attribute
See https://bugzilla.gnome.org/show_bug.cgi?id=685328
Also improve some xsl:key error messages.
---
libxslt/keys.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
--- a/libxslt/keys.c
+++ b/libxslt/keys.c
@@ -311,8 +311,8 @@
end = skipPredicate(match, end);
if (end <= 0) {
xsltTransformError(NULL, style, inst,
- "key pattern is malformed: %s",
- key->match);
+ "xsl:key : 'match' pattern is malformed: %s",
+ key->match);
if (style != NULL) style->errors++;
goto error;
}
@@ -321,7 +321,7 @@
}
if (current == end) {
xsltTransformError(NULL, style, inst,
- "key pattern is empty\n");
+ "xsl:key : 'match' pattern is empty\n");
if (style != NULL) style->errors++;
goto error;
}
@@ -344,6 +344,12 @@
}
current = end;
}
+ if (pattern == NULL) {
+ xsltTransformError(NULL, style, inst,
+ "xsl:key : 'match' pattern is empty\n");
+ if (style != NULL) style->errors++;
+ goto error;
+ }
#ifdef WITH_XSLT_DEBUG_KEYS
xsltGenericDebug(xsltGenericDebugContext,
" resulting pattern %s\n", pattern);
@@ -359,14 +365,14 @@
key->comp = xsltXPathCompile(style, pattern);
if (key->comp == NULL) {
xsltTransformError(NULL, style, inst,
- "xsl:key : XPath pattern compilation failed '%s'\n",
+ "xsl:key : 'match' pattern compilation failed '%s'\n",
pattern);
if (style != NULL) style->errors++;
}
key->usecomp = xsltXPathCompile(style, use);
if (key->usecomp == NULL) {
xsltTransformError(NULL, style, inst,
- "xsl:key : XPath pattern compilation failed '%s'\n",
+ "xsl:key : 'use' expression compilation failed '%s'\n",
use);
if (style != NULL) style->errors++;
}
>From 6c99c519d97e5fcbec7a9537d190efb442e4e833 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnho...@aevum.de>
Date: Wed, 10 Oct 2012 12:09:36 +0200
Subject: [PATCH] Crash when passing an uninitialized variable to document()
https://bugzilla.gnome.org/show_bug.cgi?id=685330
Missing check for NULL
---
libxslt/functions.c | 5 +++--
tests/docs/Makefile.am | 1 +
tests/docs/bug-180.xml | 2 ++
tests/general/Makefile.am | 1 +
tests/general/bug-180.err | 4 ++++
tests/general/bug-180.xsl | 8 ++++++++
6 files changed, 19 insertions(+), 2 deletions(-)
create mode 100644 tests/docs/bug-180.xml
create mode 100644 tests/general/bug-180.err
create mode 100644 tests/general/bug-180.out
create mode 100644 tests/general/bug-180.xsl
--- a/libxslt/functions.c
+++ b/libxslt/functions.c
@@ -260,7 +260,7 @@
obj = valuePop(ctxt);
ret = xmlXPathNewNodeSet(NULL);
- if (obj->nodesetval) {
+ if ((obj != NULL) && obj->nodesetval) {
for (i = 0; i < obj->nodesetval->nodeNr; i++) {
valuePush(ctxt,
xmlXPathNewNodeSet(obj->nodesetval->nodeTab[i]));
@@ -280,7 +280,8 @@
}
}
- xmlXPathFreeObject(obj);
+ if (obj != NULL)
+ xmlXPathFreeObject(obj);
if (obj2 != NULL)
xmlXPathFreeObject(obj2);
valuePush(ctxt, ret);
--- /dev/null
+++ b/tests/docs/bug-180.xml
@@ -0,0 +1,2 @@
+<doc/>
+
--- /dev/null
+++ b/tests/general/bug-180.err
@@ -0,0 +1,4 @@
+runtime error: file ./bug-180.xsl line 4 element copy-of
+Variable 'xxx' has not been declared.
+XPath error : Stack usage errror
+xmlXPathCompiledEval: 1 objects left on the stack.
--- /dev/null
+++ b/tests/general/bug-180.xsl
@@ -0,0 +1,8 @@
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"; version="1.0">
+
+ <xsl:template match="/">
+ <xsl:copy-of select=" * | document($xxx) "/>
+ </xsl:template>
+
+</xsl:stylesheet>
+
--- a/tests/docs/Makefile.am
+++ b/tests/docs/Makefile.am
@@ -168,6 +168,7 @@
bug-167.xml \
bug-168.xml \
bug-169.xml \
+ bug-180.xml \
character.xml \
array.xml \
items.xml
--- a/tests/general/Makefile.am
+++ b/tests/general/Makefile.am
@@ -177,6 +177,7 @@
bug-167.out bug-167.xsl \
bug-168.out bug-168.xsl \
bug-169.out bug-169.xsl bug-169.imp \
+ bug-180.out bug-180.xsl bug-180.err \
character.out character.xsl \
character2.out character2.xsl \
itemschoose.out itemschoose.xsl \
