commit: 76c0287bfb98ed25b63c9ad892fa6a1ee1c87dc0 Author: Sam James <sam <AT> gentoo <DOT> org> AuthorDate: Fri Oct 29 15:26:36 2021 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Fri Oct 29 15:28:24 2021 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=76c0287b
dev-libs/libxslt: fix tests with newer libxml2; patch CVE-2021-30560 Note that we're now depending on >= .11 of libxml2 just to be safe, even though some of the patches seem to have compatibility guards, not all do - and upstream develop these in tandem anyway. Closes: https://bugs.gentoo.org/790218 Bug: https://bugs.gentoo.org/820722 Signed-off-by: Sam James <sam <AT> gentoo.org> .../files/libxslt-1.1.34-CVE-2021-30560.patch | 194 +++++++++++++++++++++ .../files/libxslt-1.1.34-libxml2-2.9.12.patch | 120 +++++++++++++ dev-libs/libxslt/libxslt-1.1.34-r2.ebuild | 72 ++++++++ 3 files changed, 386 insertions(+) diff --git a/dev-libs/libxslt/files/libxslt-1.1.34-CVE-2021-30560.patch b/dev-libs/libxslt/files/libxslt-1.1.34-CVE-2021-30560.patch new file mode 100644 index 00000000000..dcda176c513 --- /dev/null +++ b/dev-libs/libxslt/files/libxslt-1.1.34-CVE-2021-30560.patch @@ -0,0 +1,194 @@ +https://gitlab.gnome.org/GNOME/libxslt/-/issues/56 +https://gitlab.gnome.org/GNOME/libxslt/-/commit/50f9c9cd3b7dfe9b3c8c795247752d1fdcadcac8 +https://gitlab.gnome.org/GNOME/libxslt/-/issues/51 +https://bugs.gentoo.org/790218 + +From: Nick Wellnhofer <[email protected]> +Date: Sat, 12 Jun 2021 20:02:53 +0200 +Subject: [PATCH] Fix use-after-free in xsltApplyTemplates + +xsltApplyTemplates without a select expression could delete nodes in +the source document. + +1. Text nodes with strippable whitespace + +Whitespace from input documents is already stripped, so there's no +need to strip it again. Under certain circumstances, xsltApplyTemplates +could be fooled into deleting text nodes that are still referenced, +resulting in a use-after-free. + +2. The DTD + +The DTD was only unlinked, but there's no good reason to do this just +now. Maybe it was meant as a micro-optimization. + +3. Unknown nodes + +Useless and dangerous as well, especially with XInclude nodes. +See https://gitlab.gnome.org/GNOME/libxml2/-/issues/268 + +Simply stop trying to uselessly delete nodes when applying a template. +This part of the code is probably a leftover from a time where +xsltApplyStripSpaces wasn't implemented yet. Also note that +xsltApplyTemplates with a select expression never tried to delete +nodes. + +Also stop xsltDefaultProcessOneNode from deleting nodes for the same +reasons. + +This fixes CVE-2021-30560. +--- a/libxslt/transform.c ++++ b/libxslt/transform.c +@@ -1895,7 +1895,7 @@ static void + xsltDefaultProcessOneNode(xsltTransformContextPtr ctxt, xmlNodePtr node, + xsltStackElemPtr params) { + xmlNodePtr copy; +- xmlNodePtr delete = NULL, cur; ++ xmlNodePtr cur; + int nbchild = 0, oldSize; + int childno = 0, oldPos; + xsltTemplatePtr template; +@@ -1968,54 +1968,13 @@ xsltDefaultProcessOneNode(xsltTransformContextPtr ctxt, xmlNodePtr node, + return; + } + /* +- * Handling of Elements: first pass, cleanup and counting ++ * Handling of Elements: first pass, counting + */ + cur = node->children; + while (cur != NULL) { +- switch (cur->type) { +- case XML_TEXT_NODE: +- case XML_CDATA_SECTION_NODE: +- case XML_DOCUMENT_NODE: +- case XML_HTML_DOCUMENT_NODE: +- case XML_ELEMENT_NODE: +- case XML_PI_NODE: +- case XML_COMMENT_NODE: +- nbchild++; +- break; +- case XML_DTD_NODE: +- /* Unlink the DTD, it's still reachable using doc->intSubset */ +- if (cur->next != NULL) +- cur->next->prev = cur->prev; +- if (cur->prev != NULL) +- cur->prev->next = cur->next; +- break; +- default: +-#ifdef WITH_XSLT_DEBUG_PROCESS +- XSLT_TRACE(ctxt,XSLT_TRACE_PROCESS_NODE,xsltGenericDebug(xsltGenericDebugContext, +- "xsltDefaultProcessOneNode: skipping node type %d\n", +- cur->type)); +-#endif +- delete = cur; +- } ++ if (IS_XSLT_REAL_NODE(cur)) ++ nbchild++; + cur = cur->next; +- if (delete != NULL) { +-#ifdef WITH_XSLT_DEBUG_PROCESS +- XSLT_TRACE(ctxt,XSLT_TRACE_PROCESS_NODE,xsltGenericDebug(xsltGenericDebugContext, +- "xsltDefaultProcessOneNode: removing ignorable blank node\n")); +-#endif +- xmlUnlinkNode(delete); +- xmlFreeNode(delete); +- delete = NULL; +- } +- } +- if (delete != NULL) { +-#ifdef WITH_XSLT_DEBUG_PROCESS +- XSLT_TRACE(ctxt,XSLT_TRACE_PROCESS_NODE,xsltGenericDebug(xsltGenericDebugContext, +- "xsltDefaultProcessOneNode: removing ignorable blank node\n")); +-#endif +- xmlUnlinkNode(delete); +- xmlFreeNode(delete); +- delete = NULL; + } + + /* +@@ -4864,7 +4823,7 @@ xsltApplyTemplates(xsltTransformContextPtr ctxt, xmlNodePtr node, + xsltStylePreCompPtr comp = (xsltStylePreCompPtr) castedComp; + #endif + int i; +- xmlNodePtr cur, delNode = NULL, oldContextNode; ++ xmlNodePtr cur, oldContextNode; + xmlNodeSetPtr list = NULL, oldList; + xsltStackElemPtr withParams = NULL; + int oldXPProximityPosition, oldXPContextSize; +@@ -4998,73 +4957,9 @@ xsltApplyTemplates(xsltTransformContextPtr ctxt, xmlNodePtr node, + else + cur = NULL; + while (cur != NULL) { +- switch (cur->type) { +- case XML_TEXT_NODE: +- if ((IS_BLANK_NODE(cur)) && +- (cur->parent != NULL) && +- (cur->parent->type == XML_ELEMENT_NODE) && +- (ctxt->style->stripSpaces != NULL)) { +- const xmlChar *val; +- +- if (cur->parent->ns != NULL) { +- val = (const xmlChar *) +- xmlHashLookup2(ctxt->style->stripSpaces, +- cur->parent->name, +- cur->parent->ns->href); +- if (val == NULL) { +- val = (const xmlChar *) +- xmlHashLookup2(ctxt->style->stripSpaces, +- BAD_CAST "*", +- cur->parent->ns->href); +- } +- } else { +- val = (const xmlChar *) +- xmlHashLookup2(ctxt->style->stripSpaces, +- cur->parent->name, NULL); +- } +- if ((val != NULL) && +- (xmlStrEqual(val, (xmlChar *) "strip"))) { +- delNode = cur; +- break; +- } +- } +- /* Intentional fall-through */ +- case XML_ELEMENT_NODE: +- case XML_DOCUMENT_NODE: +- case XML_HTML_DOCUMENT_NODE: +- case XML_CDATA_SECTION_NODE: +- case XML_PI_NODE: +- case XML_COMMENT_NODE: +- xmlXPathNodeSetAddUnique(list, cur); +- break; +- case XML_DTD_NODE: +- /* Unlink the DTD, it's still reachable +- * using doc->intSubset */ +- if (cur->next != NULL) +- cur->next->prev = cur->prev; +- if (cur->prev != NULL) +- cur->prev->next = cur->next; +- break; +- case XML_NAMESPACE_DECL: +- break; +- default: +-#ifdef WITH_XSLT_DEBUG_PROCESS +- XSLT_TRACE(ctxt,XSLT_TRACE_APPLY_TEMPLATES,xsltGenericDebug(xsltGenericDebugContext, +- "xsltApplyTemplates: skipping cur type %d\n", +- cur->type)); +-#endif +- delNode = cur; +- } ++ if (IS_XSLT_REAL_NODE(cur)) ++ xmlXPathNodeSetAddUnique(list, cur); + cur = cur->next; +- if (delNode != NULL) { +-#ifdef WITH_XSLT_DEBUG_PROCESS +- XSLT_TRACE(ctxt,XSLT_TRACE_APPLY_TEMPLATES,xsltGenericDebug(xsltGenericDebugContext, +- "xsltApplyTemplates: removing ignorable blank cur\n")); +-#endif +- xmlUnlinkNode(delNode); +- xmlFreeNode(delNode); +- delNode = NULL; +- } + } + } + +GitLab diff --git a/dev-libs/libxslt/files/libxslt-1.1.34-libxml2-2.9.12.patch b/dev-libs/libxslt/files/libxslt-1.1.34-libxml2-2.9.12.patch new file mode 100644 index 00000000000..635fb576d3d --- /dev/null +++ b/dev-libs/libxslt/files/libxslt-1.1.34-libxml2-2.9.12.patch @@ -0,0 +1,120 @@ +https://gitlab.gnome.org/GNOME/libxslt/-/commit/9ae2f94df1721e002941b40665efb762aefcea1a +https://gitlab.gnome.org/GNOME/libxslt/-/commit/824657768aea2cce9c23e72ba8085cb5e44350c7 +https://gitlab.gnome.org/GNOME/libxslt/-/commit/77c26bad0433541f486b1e7ced44ca9979376908 + +From: Nick Wellnhofer <[email protected]> +Date: Mon, 17 Aug 2020 03:42:11 +0200 +Subject: [PATCH] Stop using maxParserDepth XPath limit + +This will be removed again from libxml2. +--- a/tests/fuzz/fuzz.c ++++ b/tests/fuzz/fuzz.c +@@ -183,8 +183,7 @@ xsltFuzzXPathInit(int *argc_p ATTRIBUTE_UNUSED, char ***argv_p, + xpctxt = tctxt->xpathCtxt; + + /* Resource limits to avoid timeouts and call stack overflows */ +- xpctxt->maxParserDepth = 15; +- xpctxt->maxDepth = 100; ++ xpctxt->maxDepth = 500; + xpctxt->opLimit = 500000; + + /* Test namespaces used in xpath.xml */ +@@ -317,8 +316,7 @@ xsltFuzzXsltInit(int *argc_p ATTRIBUTE_UNUSED, char ***argv_p, + + static void + xsltSetXPathResourceLimits(xmlXPathContextPtr ctxt) { +- ctxt->maxParserDepth = 15; +- ctxt->maxDepth = 100; ++ ctxt->maxDepth = 200; + ctxt->opLimit = 100000; + } + +From: Nick Wellnhofer <[email protected]> +Date: Mon, 17 Aug 2020 04:27:13 +0200 +Subject: [PATCH] Transfer XPath limits to XPtr context + +Expressions like document('doc.xml#xpointer(evil_expr)') ignored the +XPath limits. +--- a/libxslt/functions.c ++++ b/libxslt/functions.c +@@ -178,10 +178,22 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt, xmlChar* URI) + goto out_fragment; + } + ++#if LIBXML_VERSION >= 20911 || \ ++ defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION) ++ xptrctxt->opLimit = ctxt->context->opLimit; ++ xptrctxt->opCount = ctxt->context->opCount; ++ xptrctxt->maxDepth = ctxt->context->maxDepth - ctxt->context->depth; ++ ++ resObj = xmlXPtrEval(fragment, xptrctxt); ++ ++ ctxt->context->opCount = xptrctxt->opCount; ++#else + resObj = xmlXPtrEval(fragment, xptrctxt); +- xmlXPathFreeContext(xptrctxt); + #endif + ++ xmlXPathFreeContext(xptrctxt); ++#endif /* LIBXML_XPTR_ENABLED */ ++ + if (resObj == NULL) + goto out_fragment; + +From: Nick Wellnhofer <[email protected]> +Date: Wed, 26 Aug 2020 00:34:38 +0200 +Subject: [PATCH] Don't set maxDepth in XPath contexts + +The maximum recursion depth is hardcoded in libxml2 now. +--- a/libxslt/functions.c ++++ b/libxslt/functions.c +@@ -182,7 +182,7 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt, xmlChar* URI) + defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION) + xptrctxt->opLimit = ctxt->context->opLimit; + xptrctxt->opCount = ctxt->context->opCount; +- xptrctxt->maxDepth = ctxt->context->maxDepth - ctxt->context->depth; ++ xptrctxt->depth = ctxt->context->depth; + + resObj = xmlXPtrEval(fragment, xptrctxt); + +--- a/tests/fuzz/fuzz.c ++++ b/tests/fuzz/fuzz.c +@@ -183,7 +183,6 @@ xsltFuzzXPathInit(int *argc_p ATTRIBUTE_UNUSED, char ***argv_p, + xpctxt = tctxt->xpathCtxt; + + /* Resource limits to avoid timeouts and call stack overflows */ +- xpctxt->maxDepth = 500; + xpctxt->opLimit = 500000; + + /* Test namespaces used in xpath.xml */ +@@ -314,12 +313,6 @@ xsltFuzzXsltInit(int *argc_p ATTRIBUTE_UNUSED, char ***argv_p, + return 0; + } + +-static void +-xsltSetXPathResourceLimits(xmlXPathContextPtr ctxt) { +- ctxt->maxDepth = 200; +- ctxt->opLimit = 100000; +-} +- + xmlChar * + xsltFuzzXslt(const char *data, size_t size) { + xmlDocPtr xsltDoc; +@@ -349,7 +342,7 @@ xsltFuzzXslt(const char *data, size_t size) { + xmlFreeDoc(xsltDoc); + return NULL; + } +- xsltSetXPathResourceLimits(sheet->xpathCtxt); ++ sheet->xpathCtxt->opLimit = 100000; + sheet->xpathCtxt->opCount = 0; + if (xsltParseStylesheetUser(sheet, xsltDoc) != 0) { + xsltFreeStylesheet(sheet); +@@ -361,7 +354,7 @@ xsltFuzzXslt(const char *data, size_t size) { + xsltSetCtxtSecurityPrefs(sec, ctxt); + ctxt->maxTemplateDepth = 100; + ctxt->opLimit = 20000; +- xsltSetXPathResourceLimits(ctxt->xpathCtxt); ++ ctxt->xpathCtxt->opLimit = 100000; + ctxt->xpathCtxt->opCount = sheet->xpathCtxt->opCount; + + result = xsltApplyStylesheetUser(sheet, doc, NULL, NULL, NULL, ctxt); diff --git a/dev-libs/libxslt/libxslt-1.1.34-r2.ebuild b/dev-libs/libxslt/libxslt-1.1.34-r2.ebuild new file mode 100644 index 00000000000..df1a9b5e042 --- /dev/null +++ b/dev-libs/libxslt/libxslt-1.1.34-r2.ebuild @@ -0,0 +1,72 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/danielveillard.asc +inherit libtool multilib-minimal verify-sig + +# Note: Please bump this in sync with dev-libs/libxml2. +DESCRIPTION="XSLT libraries and tools" +HOMEPAGE="http://www.xmlsoft.org/ https://gitlab.gnome.org/GNOME/libxslt"; +SRC_URI="ftp://xmlsoft.org/${PN}/${P}.tar.gz"; +SRC_URI+=" verify-sig? ( ftp://xmlsoft.org/${PN}/${P}.tar.gz.asc )" + +LICENSE="MIT" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +IUSE="crypt debug examples static-libs elibc_Darwin" + +BDEPEND=">=virtual/pkgconfig-1 + verify-sig? ( app-crypt/openpgp-keys-danielveillard )" +RDEPEND=" + >=dev-libs/libxml2-2.9.11:2[${MULTILIB_USEDEP}] + crypt? ( >=dev-libs/libgcrypt-1.5.3:0=[${MULTILIB_USEDEP}] ) +" +DEPEND="${RDEPEND}" + +MULTILIB_CHOST_TOOLS=( + /usr/bin/xslt-config +) + +MULTILIB_WRAPPED_HEADERS=( + /usr/include/libxslt/xsltconfig.h +) + +PATCHES=( + "${FILESDIR}"/${P}-libxml2-2.9.12.patch + "${FILESDIR}"/${P}-CVE-2021-30560.patch +) + +src_prepare() { + default + + DOCS=( AUTHORS ChangeLog FEATURES NEWS README TODO ) + + # Prefix always needs elibtoolize if not eautoreconf'd. + elibtoolize +} + +multilib_src_configure() { + # Python bindings were dropped as they were Python 2 only at the time + ECONF_SOURCE="${S}" econf \ + --with-html-dir="${EPREFIX}"/usr/share/doc/${PF} \ + --with-html-subdir=html \ + --without-python \ + $(use_with crypt crypto) \ + $(use_with debug) \ + $(use_with debug mem-debug) \ + $(use_enable static-libs static) \ + "$@" +} + +multilib_src_install() { + # "default" does not work here - docs are installed by multilib_src_install_all + emake DESTDIR="${D}" install +} + +multilib_src_install_all() { + einstalldocs + + find "${ED}" -type f -name "*.la" -delete || die +}
