Package: libxslt / 1.1.28-2+deb8u3

Metadata

Package Version Patches format
libxslt 1.1.28-2+deb8u3 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
0001 patch xslt config to add private libraries.patch | (download)

libexslt.pc.in | 1 1 + 0 - 0 !
libxslt.pc.in | 1 1 + 0 - 0 !
xslt-config.in | 14 12 + 2 - 0 !
3 files changed, 14 insertions(+), 2 deletions(-)

 patch xslt-config to add private libraries


0002 fix autoconf automake.patch | (download)

configure.in | 9 5 + 4 - 0 !
1 file changed, 5 insertions(+), 4 deletions(-)

 fix autoconf automake


0003 fix typo.patch | (download)

doc/APIchunk6.html | 2 1 + 1 - 0 !
doc/APIchunk8.html | 2 1 + 1 - 0 !
doc/EXSLT/bugs.html | 8 4 + 4 - 0 !
doc/EXSLT/exslt.html | 8 4 + 4 - 0 !
doc/apibuild.py | 2 1 + 1 - 0 !
doc/html/libxslt-extra.html | 2 1 + 1 - 0 !
doc/html/libxslt-imports.html | 2 1 + 1 - 0 !
doc/html/libxslt-xsltInternals.html | 6 3 + 3 - 0 !
doc/html/libxslt-xsltutils.html | 6 3 + 3 - 0 !
doc/libxslt-api.xml | 20 10 + 10 - 0 !
doc/libxslt-refs.xml | 4 2 + 2 - 0 !
libexslt/exsltconfig.h.in | 2 1 + 1 - 0 !
libxslt/extensions.c | 2 1 + 1 - 0 !
libxslt/extra.c | 2 1 + 1 - 0 !
libxslt/imports.c | 2 1 + 1 - 0 !
libxslt/numbers.c | 4 2 + 2 - 0 !
libxslt/xsltInternals.h | 6 3 + 3 - 0 !
libxslt/xsltconfig.h | 4 2 + 2 - 0 !
libxslt/xsltconfig.h.in | 4 2 + 2 - 0 !
libxslt/xsltutils.c | 14 7 + 7 - 0 !
libxslt/xsltwin32config.h | 4 2 + 2 - 0 !
libxslt/xsltwin32config.h.in | 4 2 + 2 - 0 !
python/tests/pyxsltproc.py | 4 2 + 2 - 0 !
tests/docbook/result/fo/gdp-handbook.fo | 2 1 + 1 - 0 !
tests/docbook/result/html/gdp-handbook.html | 2 1 + 1 - 0 !
tests/docbook/result/xhtml/gdp-handbook.xhtml | 2 1 + 1 - 0 !
tests/docbook/test/gdp-handbook.xml | 2 1 + 1 - 0 !
tests/plugins/testplugin.c | 2 1 + 1 - 0 !
xsltproc/xsltproc.c | 2 1 + 1 - 0 !
29 files changed, 63 insertions(+), 63 deletions(-)

 fix typo


0004 Adding doc update related to 1.1.28.patch | (download)

NEWS | 23 23 + 0 - 0 !
doc/libxslt.xsa | 87 80 + 7 - 0 !
doc/news.html | 25 24 + 1 - 0 !
doc/xslt.html | 25 25 + 0 - 0 !
4 files changed, 152 insertions(+), 8 deletions(-)

 adding doc update related to 1.1.28


0005 Fix a couple of places where f printf parameters wer.patch | (download)

python/libxslt.c | 10 5 + 5 - 0 !
xsltproc/xsltproc.c | 2 1 + 1 - 0 !
2 files changed, 6 insertions(+), 6 deletions(-)

 fix a couple of places where (f)printf parameters were broken

As reported by Thomas Jarosch <thomas.jarosch@intra2net.com>

0006 Initialize pseudo random number generator with curre.patch | (download)

xsltproc/xsltproc.c | 15 15 + 0 - 0 !
1 file changed, 15 insertions(+)

 initialize pseudo random number generator with current time or
 optional command line parameter


0007 EXSLT function str replace is broken as is.patch | (download)

libexslt/strings.c | 6 1 + 5 - 0 !
1 file changed, 1 insertion(+), 5 deletions(-)

 exslt function str:replace() is broken as-is

the str:replace() function is no longer usable without a transform
context. I take it from the bug report that it is not supposed to be used
from plain XPath but only from XSLT according to the EXSLT specification.

However, the previous implementation used to work in XPath and is still
registered on an xmlXPathContext by the exsltStrXpathCtxtRegister()
function. When called from plain XPath, it results in a memory error in
line 526 (exsltStrReturnString()) of strings.c because xsltCreateRVT()
returns NULL as an error indicator due to a NULL transform context being
passed in, which was the return value from xsltXPathGetTransformContext() a
bit further up (and the code doesn't validate that).

Since fixing the function looks impossible, best is to remove it.

0008 Fix quoting of xlocale test program in configure.in.patch | (download)

configure.in | 14 7 + 7 - 0 !
1 file changed, 7 insertions(+), 7 deletions(-)

 fix quoting of xlocale test program in configure.in

Double square brackets aren't needed anymore, probably due to the
changes in commit a2cd8a03.

0009 Fix for type confusion in preprocessing attributes.patch | (download)

libxslt/preproc.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 [patch] fix for type confusion in preprocessing attributes

CVE-2015-7995 http://www.openwall.com/lists/oss-security/2015/10/27/10
We need to check that the parent node is an element before dereferencing
its namespace

0010 Always initialize EXSLT month and day to 1.patch | (download)

libexslt/date.c | 17 7 + 10 - 0 !
1 file changed, 7 insertions(+), 10 deletions(-)

 [patch] always initialize exslt month and day to 1

Fixes bug #757970
https://bugzilla.gnome.org/show_bug.cgi?id=757970

0011 Fix use after free in xsltDocumentFunctionLoadDocume.patch | (download)

libxslt/functions.c | 3 2 + 1 - 0 !
tests/docs/bug-185-data.xml | 5 5 + 0 - 0 !
tests/docs/bug-185.xml | 2 2 + 0 - 0 !
tests/general/bug-185.err | 3 3 + 0 - 0 !
tests/general/bug-185.xsl | 14 14 + 0 - 0 !
5 files changed, 26 insertions(+), 1 deletion(-)

 [patch] fix use-after-free in xsltdocumentfunctionloaddocument

Also fixes a memory leak in an unlikely error case.

Fixes bug #758291
https://bugzilla.gnome.org/show_bug.cgi?id=758291

0012 Fix xsltNumberFormatGetMultipleLevel.patch | (download)

libxslt/numbers.c | 82 47 + 35 - 0 !
tests/docs/bug-186.xml | 4 4 + 0 - 0 !
tests/general/bug-186.out | 5 5 + 0 - 0 !
tests/general/bug-186.xsl | 7 7 + 0 - 0 !
4 files changed, 63 insertions(+), 35 deletions(-)

 [patch] fix xsltnumberformatgetmultiplelevel

Namespace nodes are actually an xmlNs, not an xmlNode. They must be
special-cased in xsltNumberFormatGetMultipleLevel to avoid an
out-of-bounds heap access.

Move the test whether a node matches the "count" pattern to a separate
function to make the code more readable. As a side effect, we also
compare expanded names when walking up the ancestor axis, fixing an
insignificant bug.

0013 Round xsl number values to nearest integer.patch | (download)

libxslt/numbers.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 [patch] round xsl:number values to nearest integer

This matches XSLT 2.0 behavior.

0014 Handle negative xsl number values.patch | (download)

libxslt/numbers.c | 17 16 + 1 - 0 !
1 file changed, 16 insertions(+), 1 deletion(-)

 [patch] handle negative xsl:number values

According to XSLT 2.0, negative values are a non-recoverable dynamic error.
Print an error message and treat negative values as zero.

Fixes an OOB array access in xsltNumberFormatAlpha.

0015 Lower bound for format token a.patch | (download)

libxslt/numbers.c | 33 24 + 9 - 0 !
1 file changed, 24 insertions(+), 9 deletions(-)

 [patch] lower bound for format token "a"

Handle xsl:number with format "a" and value 0 according to XSLT 2.0.

Fixes an OOB array access in xsltNumberFormatAlpha.

0016 Lower and upper bound for format token i.patch | (download)

libxslt/numbers.c | 25 16 + 9 - 0 !
1 file changed, 16 insertions(+), 9 deletions(-)

 [patch] lower and upper bound for format token "i"

Handle xsl:number with format "i" and value 0 according to XSLT 2.0.

Also introduce an upper bound to fix a denial of service.

0017 Fix double free in libexslt hash functions.patch | (download)

libexslt/crypto.c | 15 3 + 12 - 0 !
1 file changed, 3 insertions(+), 12 deletions(-)

 [patch] fix double free in libexslt hash functions

Thanks to Nicolas Gregoire for the report.

Fixes bug #765271:

https://bugzilla.gnome.org/show_bug.cgi?id=765271

0018 Fix buffer overflow in exsltDateFormat.patch | (download)

libexslt/date.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] fix buffer overflow in exsltdateformat

Long years can overflow a stack-based buffer on 64-bit platforms by
up to four bytes.

Thanks to Nicolas Gregoire for the report.

Fixes bug #765380:

https://bugzilla.gnome.org/show_bug.cgi?id=765380

0019 Fix OOB heap read in xsltExtModuleRegisterDynamic.patch | (download)

libxslt/extensions.c | 5 4 + 1 - 0 !
1 file changed, 4 insertions(+), 1 deletion(-)

 [patch] fix oob heap read in xsltextmoduleregisterdynamic

xsltExtModuleRegisterDynamic would read a byte before the start of a
string under certain circumstances. I looks like this piece code was
supposed to strip characters from the end of the extension name, but
it didn't have any effect. Don't read beyond the beginning of the
string and actually strip unwanted characters.

Found with afl-fuzz and ASan.

0020 Fix heap overread in xsltFormatNumberConversion.patch | (download)

libxslt/numbers.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 [patch] fix heap overread in xsltformatnumberconversion

An empty decimal-separator could cause a heap overread. This can be
exploited to leak a couple of bytes after the buffer that holds the
pattern string.

Found with afl-fuzz and ASan.

0021 Check for integer overflow in xsltAddTextString.patch | (download)

libxslt/transform.c | 25 22 + 3 - 0 !
libxslt/xsltInternals.h | 4 2 + 2 - 0 !
2 files changed, 24 insertions(+), 5 deletions(-)

 [patch] check for integer overflow in xsltaddtextstring

Limit buffer size in xsltAddTextString to INT_MAX. The issue can be
exploited to trigger an out of bounds write on 64-bit systems.

Originally reported to Chromium:

https://crbug.com/676623