From 584dbc2f0a30bb4011d5e14a69ba3bba99b89613 Mon Sep 17 00:00:00 2001
From: Gustavo Zacarias <gustavo@zacarias.com.ar>
Date: Fri, 2 Mar 2012 12:00:34 -0300
Subject: libxslt: add multiple security patches

Add security patches for CVE-2011-1202 and CVE-2011-3970.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
---
 package/libxslt/libxslt-1.1.26-configure.patch     | 18 +++++++
 package/libxslt/libxslt-1.1.26-id-generation.patch | 56 ++++++++++++++++++++++
 ...libxslt-1.1.26-pattern-out-of-bounds-read.patch | 27 +++++++++++
 package/libxslt/libxslt-configure.patch            | 18 -------
 4 files changed, 101 insertions(+), 18 deletions(-)
 create mode 100644 package/libxslt/libxslt-1.1.26-configure.patch
 create mode 100644 package/libxslt/libxslt-1.1.26-id-generation.patch
 create mode 100644 package/libxslt/libxslt-1.1.26-pattern-out-of-bounds-read.patch
 delete mode 100644 package/libxslt/libxslt-configure.patch

(limited to 'package/libxslt')

diff --git a/package/libxslt/libxslt-1.1.26-configure.patch b/package/libxslt/libxslt-1.1.26-configure.patch
new file mode 100644
index 000000000..aae2e9e28
--- /dev/null
+++ b/package/libxslt/libxslt-1.1.26-configure.patch
@@ -0,0 +1,18 @@
+--- a/configure	2007-06-12 12:43:03.000000000 -0400
++++ b/configure	2008-02-18 08:52:36.000000000 -0500
+@@ -22090,15 +22090,11 @@ esac
+ 
+ 
+ 
+-XSLT_LIBDIR='-L${libdir}'
+-XSLT_INCLUDEDIR='-I${includedir}'
+ XSLT_LIBS="-lxslt $LIBXML_LIBS $M_LIBS"
+ 
+ 
+ 
+ 
+-EXSLT_LIBDIR='-L${libdir}'
+-EXSLT_INCLUDEDIR='-I${includedir}'
+ EXSLT_LIBS="-lexslt $XSLT_LIBS $LIBGCRYPT_LIBS"
+ 
+ 
diff --git a/package/libxslt/libxslt-1.1.26-id-generation.patch b/package/libxslt/libxslt-1.1.26-id-generation.patch
new file mode 100644
index 000000000..f8f4c2a95
--- /dev/null
+++ b/package/libxslt/libxslt-1.1.26-id-generation.patch
@@ -0,0 +1,56 @@
+From ecb6bcb8d1b7e44842edde3929f412d46b40c89f Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Tue, 22 Feb 2011 02:14:23 +0000
+Subject: Fix generate-id() to not expose object addresses
+
+As pointed out by Chris Evans <scarybeasts@gmail.com> it's better
+security wise to not expose object addresses directly, use a diff
+w.r.t. the document root own address to avoid this
+* libxslt/functions.c: fix IDs generation code
+---
+diff --git a/libxslt/functions.c b/libxslt/functions.c
+index 4720c7a..de962f4 100644
+--- a/libxslt/functions.c
++++ b/libxslt/functions.c
+@@ -654,8 +654,9 @@ xsltFormatNumberFunction(xmlXPathParserContextPtr ctxt, int nargs)
+ void
+ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
+     xmlNodePtr cur = NULL;
+-    unsigned long val;
+-    xmlChar str[20];
++    long val;
++    xmlChar str[30];
++    xmlDocPtr doc;
+ 
+     if (nargs == 0) {
+ 	cur = ctxt->context->node;
+@@ -694,9 +695,24 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
+      * Okay this is ugly but should work, use the NodePtr address
+      * to forge the ID
+      */
+-    val = (unsigned long)((char *)cur - (char *)0);
+-    val /= sizeof(xmlNode);
+-    sprintf((char *)str, "id%ld", val);
++    if (cur->type != XML_NAMESPACE_DECL)
++        doc = cur->doc;
++    else {
++        xmlNsPtr ns = (xmlNsPtr) cur;
++
++        if (ns->context != NULL)
++            doc = ns->context;
++        else
++            doc = ctxt->context->doc;
++
++    }
++
++    val = (long)((char *)cur - (char *)doc);
++    if (val >= 0) {
++      sprintf((char *)str, "idp%ld", val);
++    } else {
++      sprintf((char *)str, "idm%ld", -val);
++    }
+     valuePush(ctxt, xmlXPathNewString(str));
+ }
+ 
+--
+cgit v0.8.3.4
diff --git a/package/libxslt/libxslt-1.1.26-pattern-out-of-bounds-read.patch b/package/libxslt/libxslt-1.1.26-pattern-out-of-bounds-read.patch
new file mode 100644
index 000000000..cd2e292f4
--- /dev/null
+++ b/package/libxslt/libxslt-1.1.26-pattern-out-of-bounds-read.patch
@@ -0,0 +1,27 @@
+From fe5a4fa33eb85bce3253ed3742b1ea6c4b59b41b Mon Sep 17 00:00:00 2001
+From: Abhishek Arya <inferno@chromium.org>
+Date: Sun, 22 Jan 2012 17:47:50 +0800
+Subject: [PATCH] Fix some case of pattern parsing errors
+
+We could accidentally hit an off by one string array access
+due to improper loop exit when parsing patterns
+---
+ libxslt/pattern.c |    2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+diff --git a/libxslt/pattern.c b/libxslt/pattern.c
+index 6161376..1155b54 100644
+--- a/libxslt/pattern.c
++++ b/libxslt/pattern.c
+@@ -1867,6 +1867,8 @@ xsltCompilePatternInternal(const xmlChar *pattern, xmlDocPtr doc,
+ 		while ((pattern[end] != 0) && (pattern[end] != '"'))
+ 		    end++;
+ 	    }
++	    if (pattern[end] == 0)
++	        break;
+ 	    end++;
+ 	}
+ 	if (current == end) {
+-- 
+1.7.8.4
+
diff --git a/package/libxslt/libxslt-configure.patch b/package/libxslt/libxslt-configure.patch
deleted file mode 100644
index aae2e9e28..000000000
--- a/package/libxslt/libxslt-configure.patch
+++ /dev/null
@@ -1,18 +0,0 @@
---- a/configure	2007-06-12 12:43:03.000000000 -0400
-+++ b/configure	2008-02-18 08:52:36.000000000 -0500
-@@ -22090,15 +22090,11 @@ esac
- 
- 
- 
--XSLT_LIBDIR='-L${libdir}'
--XSLT_INCLUDEDIR='-I${includedir}'
- XSLT_LIBS="-lxslt $LIBXML_LIBS $M_LIBS"
- 
- 
- 
- 
--EXSLT_LIBDIR='-L${libdir}'
--EXSLT_INCLUDEDIR='-I${includedir}'
- EXSLT_LIBS="-lexslt $XSLT_LIBS $LIBGCRYPT_LIBS"
- 
- 
-- 
cgit v1.2.3