~ubuntu-branches/ubuntu/hardy/libxslt/hardy-updates

Committer: Package Import Robot
Author(s): Marc Deslauriers
Date: 2012-09-28 15:40:31 UTC
Revision ID: package-import@ubuntu.com-20120928154031-ycs5jnt2ykqrazyd

Tags: 1.1.22-1ubuntu1.3

* SECURITY UPDATE: information disclosure via generate-id XPath function
  - libxslt/functions.c: do not expose object addresses directly.
  - ecb6bcb8d1b7e44842edde3929f412d46b40c89f
  - CVE-2011-1202
* SECURITY UPDATE: denial of service via out-of-bounds read
  - libxslt/pattern.c: fix improper loop exit.
  - fe5a4fa33eb85bce3253ed3742b1ea6c4b59b41b
  - CVE-2011-3970
* SECURITY UPDATE: denial of service via out-of-bounds read
  - libxslt/xsltutils.h: check for XML_ELEMENT_NODE
  - e6a0bc8081271f33b9899eb78e1da1a2a0428419
  - CVE-2012-2825
* SECURITY UPDATE: denial of service via crafted XSLT expression
  - harden code in libexslt/functions.c, libxslt/attributes.c,
    libxslt/functions.c, libxslt/pattern.c, libxslt/preproc.c,
    libxslt/templates.c, libxslt/transform.c, libxslt/variables.c,
    libxslt/xslt.c, libxslt/xsltutils.c.
  - 8566ab4a10158d195adb5f1f61afe1ee8bfebd12
  - 4da0f7e207f14a03daad4663865c285eb27f93e9
  - 24653072221e76d2f1f06aa71225229b532f8946
  - 1564b30e994602a95863d9716be83612580a2fed
  - CVE-2012-2870
* SECURITY UPDATE: denial of service and possible code execution during
  handling of XSL transforms
  - libxslt/transform.c: check for XML_NAMESPACE_DECL
  - 937ba2a3eb42d288f53c8adc211bd1122869f0bf
  - CVE-2012-2871
* SECURITY UPDATE: denial of service and possible code execution via
  double free during XSL transforms
  - libxslt/templates.c: Fix dictionary string usage
  - 54977ed7966847e305a2008cb18892df26eeb065
  - CVE-2012-2893

files added:
win32/.cvsignore

files modified:
debian/changelog

debian/control

libexslt/functions.c

libxslt/attributes.c

libxslt/functions.c

libxslt/pattern.c

libxslt/preproc.c

libxslt/templates.c

libxslt/transform.c

libxslt/variables.c

libxslt/xslt.c

libxslt/xsltutils.c

libxslt/xsltutils.h

Show diffs side-by-side

added added

removed removed

libxslt/pattern.c

299

"xsltCompMatchAdd: memory re-allocation failure.\n");

300

if (ctxt->style != NULL)

301

ctxt->style->errors++;

302

if (value)

303

xmlFree(value);

304

if (value2)

305

xmlFree(value2);

302

306

return (-1);

303

307

}

304

308

comp->maxStep *= 2;

1457

1461

NEXT;

1458

1462

SKIP_BLANKS;

1459

1463

lit = xsltScanLiteral(ctxt);

1460

if (ctxt->error)

1464

if (ctxt->error) {

1465

xsltTransformError(NULL, NULL, NULL,

1466

"xsltCompileIdKeyPattern : Literal expected\n");

1461

1467

return;

1468

}

1462

1469

SKIP_BLANKS;

1463

1470

if (CUR != ')') {

1464

1471

xsltTransformError(NULL, NULL, NULL,

1465

1472

"xsltCompileIdKeyPattern : ) expected\n");

1473

xmlFree(lit);

1466

1474

ctxt->error = 1;

1467

1475

return;

1468

1476

}

1469

1477

NEXT;

1470

1478

PUSH(XSLT_OP_ID, lit, NULL, novar);

1479

lit = NULL;

1471

1480

} else if ((aid) && (xmlStrEqual(name, (const xmlChar *)"key"))) {

1472

1481

NEXT;

1473

1482

SKIP_BLANKS;

1474

1483

lit = xsltScanLiteral(ctxt);

1475

if (ctxt->error)

1484

if (ctxt->error) {

1485

xsltTransformError(NULL, NULL, NULL,

1486

"xsltCompileIdKeyPattern : Literal expected\n");

1476

1487

return;

1488

}

1477

1489

SKIP_BLANKS;

1478

1490

if (CUR != ',') {

1479

1491

xsltTransformError(NULL, NULL, NULL,

1484

1496

NEXT;

1485

1497

SKIP_BLANKS;

1486

1498

lit2 = xsltScanLiteral(ctxt);

1487

if (ctxt->error)

1499

if (ctxt->error) {

1500

xsltTransformError(NULL, NULL, NULL,

1501

"xsltCompileIdKeyPattern : Literal expected\n");

1502

xmlFree(lit);

1488

1503

return;

1504

}

1489

1505

SKIP_BLANKS;

1490

1506

if (CUR != ')') {

1491

1507

xsltTransformError(NULL, NULL, NULL,

1492

1508

"xsltCompileIdKeyPattern : ) expected\n");

1509

xmlFree(lit);

1510

xmlFree(lit2);

1493

1511

ctxt->error = 1;

1494

1512

return;

1495

1513

}

1496

1514

NEXT;

1497

1515

/* URGENT TODO: support namespace in keys */

1498

1516

PUSH(XSLT_OP_KEY, lit, lit2, novar);

1517

lit = NULL;

1518

lit2 = NULL;

1499

1519

} else if (xmlStrEqual(name, (const xmlChar *)"processing-instruction")) {

1500

1520

NEXT;

1501

1521

SKIP_BLANKS;

1502

1522

if (CUR != ')') {

1503

1523

lit = xsltScanLiteral(ctxt);

1504

if (ctxt->error)

1524

if (ctxt->error) {

1525

xsltTransformError(NULL, NULL, NULL,

1526

"xsltCompileIdKeyPattern : Literal expected\n");

1505

1527

return;

1528

}

1506

1529

SKIP_BLANKS;

1507

1530

if (CUR != ')') {

1508

1531

xsltTransformError(NULL, NULL, NULL,

1513

1536

}

1514

1537

NEXT;

1515

1538

PUSH(XSLT_OP_PI, lit, NULL, novar);

1539

lit = NULL;

1516

1540

} else if (xmlStrEqual(name, (const xmlChar *)"text")) {

1517

1541

NEXT;

1518

1542

SKIP_BLANKS;

1558

1582

return;

1559

1583

}

1560

1584

error:

1561

if (name != NULL)

1562

xmlFree(name);

1585

return;

1563

1586

}

1564

1587

1565

1588

/**

1619

1642

if (CUR == '*') {

1620

1643

NEXT;

1621

1644

PUSH(XSLT_OP_ATTR, NULL, URL, novar);

1645

URL = NULL;

1622

1646

return;

1623

1647

}

1624

1648

xsltTransformError(NULL, NULL, NULL,

1627

1651

goto error;

1628

1652

}

1629

1653

PUSH(XSLT_OP_ATTR, token, URL, novar);

1654

token = NULL;

1655

URL = NULL;

1630

1656

goto parse_predicate;

1631

1657

}

1632

1658

if (token == NULL)

1635

1661

if (CUR == '*') {

1636

1662

NEXT;

1637

1663

PUSH(XSLT_OP_ALL, token, NULL, novar);

1664

token = NULL;

1638

1665

goto parse_predicate;

1639

1666

} else {

1640

1667

xsltTransformError(NULL, NULL, NULL,

1648

1675

SKIP_BLANKS;

1649

1676

if (CUR == '(') {

1650

1677

xsltCompileIdKeyPattern(ctxt, token, 0, novar);

1678

xmlFree(token);

1679

token = NULL;

1651

1680

if (ctxt->error)

1652

1681

goto error;

1653

1682

} else if (CUR == ':') {

1665

1694

xsltTransformError(NULL, NULL, NULL,

1666

1695

"xsltCompileStepPattern : no namespace bound to prefix %s\n",

1667

1696

prefix);

1697

xmlFree(prefix);

1698

prefix=NULL;

1668

1699

ctxt->error = 1;

1669

1700

goto error;

1670

1701

} else {

1671

1702

URL = xmlStrdup(ns->href);

1672

1703

}

1673

1704

xmlFree(prefix);

1705

prefix=NULL;

1674

1706

if (token == NULL) {

1675

1707

if (CUR == '*') {

1676

1708

NEXT;

1677

1709

PUSH(XSLT_OP_NS, URL, NULL, novar);

1710

URL = NULL;

1678

1711

} else {

1679

1712

xsltTransformError(NULL, NULL, NULL,

1680

1713

"xsltCompileStepPattern : Name expected\n");

1683

1716

}

1684

1717

} else {

1685

1718

PUSH(XSLT_OP_ELEM, token, URL, novar);

1719

token = NULL;

1720

URL = NULL;

1686

1721

}

1687

1722

} else {

1688

1723

NEXT;

1693

1728

if (CUR == '*') {

1694

1729

NEXT;

1695

1730

PUSH(XSLT_OP_ALL, token, NULL, novar);

1731

token = NULL;

1732

1696

1733

goto parse_predicate;

1697

1734

} else {

1698

1735

xsltTransformError(NULL, NULL, NULL,

1711

1748

URL = xmlStrdup(URI);

1712

1749

}

1713

1750

PUSH(XSLT_OP_CHILD, name, URL, novar);

1751

name = NULL;

1752

URL = NULL;

1714

1753

} else if (xmlStrEqual(token, (const xmlChar *) "attribute")) {

1715

1754

xmlFree(token);

1755

token = NULL;

1716

1756

token = xsltScanName(ctxt);

1717

1757

if (token == NULL) {

1718

1758

xsltTransformError(NULL, NULL, NULL,

1730

1770

URL = xmlStrdup(URI);

1731

1771

}

1732

1772

PUSH(XSLT_OP_ATTR, name, URL, novar);

1773

name = NULL;

1774

URL = NULL;

1733

1775

} else {

1734

1776

xsltTransformError(NULL, NULL, NULL,

1735

1777

"xsltCompileStepPattern : 'child' or 'attribute' expected\n");

1737

1779

goto error;

1738

1780

}

1739

1781

xmlFree(token);

1782

token = NULL;

1740

1783

}

1741

1784

} else if (CUR == '*') {

1742

1785

NEXT;

1743

1786

PUSH(XSLT_OP_ALL, token, NULL, novar);

1787

token = NULL;

1744

1788

} else {

1745

1789

URI = xsltGetQNameURI(ctxt->elem, &token);

1746

1790

if (token == NULL) {

1750

1794

if (URI != NULL)

1751

1795

URL = xmlStrdup(URI);

1752

1796

PUSH(XSLT_OP_ELEM, token, URL, novar);

1797

token = NULL;

1798

URL = NULL;

1753

1799

}

1754

1800

parse_predicate:

1755

1801

SKIP_BLANKS;

1788

1834

}

1789

1835

ret = xmlStrndup(q, CUR_PTR - q);

1790

1836

PUSH(XSLT_OP_PREDICATE, ret, NULL, novar);

1837

ret = NULL;

1791

1838

/* push the predicate lower than local test */

1792

1839

SWAP();

1793

1840

NEXT;

1896

1943

SKIP_BLANKS;

1897

1944

if ((CUR == '(') && !xmlXPathIsNodeType(name)) {

1898

1945

xsltCompileIdKeyPattern(ctxt, name, 1, novar);

1946

xmlFree(name);

1947

name = NULL;

1899

1948

if ((CUR == '/') && (NXT(1) == '/')) {

1900

1949

PUSH(XSLT_OP_ANCESTOR, NULL, NULL, novar);

1901

1950

NEXT;

1973

2022

while ((pattern[end] != 0) && (pattern[end] != '"'))

1974

2023

end++;

1975

2024

}

2025

if (pattern[end] == 0)

2026

break;

1976

2027

end++;

1977

2028

}

1978

2029

if (current == end) {

Older »