Brad Bishop | f3fd288 | 2019-06-21 08:06:37 -0400 | [diff] [blame^] | 1 | From e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 Mon Sep 17 00:00:00 2001 |
| 2 | From: Nick Wellnhofer <wellnhofer@aevum.de> |
| 3 | Date: Sun, 24 Mar 2019 09:51:39 +0100 |
| 4 | Subject: Fix security framework bypass |
| 5 | |
| 6 | xsltCheckRead and xsltCheckWrite return -1 in case of error but callers |
| 7 | don't check for this condition and allow access. With a specially |
| 8 | crafted URL, xsltCheckRead could be tricked into returning an error |
| 9 | because of a supposedly invalid URL that would still be loaded |
| 10 | succesfully later on. |
| 11 | |
| 12 | Fixes #12. |
| 13 | |
| 14 | Thanks to Felix Wilhelm for the report. |
| 15 | |
| 16 | Signed-off-by: Adrian Bunk <bunk@stusta.de> |
| 17 | Upstream-Status: Backport |
| 18 | CVE: CVE-2019-11068 |
| 19 | --- |
| 20 | libxslt/documents.c | 18 ++++++++++-------- |
| 21 | libxslt/imports.c | 9 +++++---- |
| 22 | libxslt/transform.c | 9 +++++---- |
| 23 | libxslt/xslt.c | 9 +++++---- |
| 24 | 4 files changed, 25 insertions(+), 20 deletions(-) |
| 25 | |
| 26 | diff --git a/libxslt/documents.c b/libxslt/documents.c |
| 27 | index 3f3a7312..4aad11bb 100644 |
| 28 | --- a/libxslt/documents.c |
| 29 | +++ b/libxslt/documents.c |
| 30 | @@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) { |
| 31 | int res; |
| 32 | |
| 33 | res = xsltCheckRead(ctxt->sec, ctxt, URI); |
| 34 | - if (res == 0) { |
| 35 | - xsltTransformError(ctxt, NULL, NULL, |
| 36 | - "xsltLoadDocument: read rights for %s denied\n", |
| 37 | - URI); |
| 38 | + if (res <= 0) { |
| 39 | + if (res == 0) |
| 40 | + xsltTransformError(ctxt, NULL, NULL, |
| 41 | + "xsltLoadDocument: read rights for %s denied\n", |
| 42 | + URI); |
| 43 | return(NULL); |
| 44 | } |
| 45 | } |
| 46 | @@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) { |
| 47 | int res; |
| 48 | |
| 49 | res = xsltCheckRead(sec, NULL, URI); |
| 50 | - if (res == 0) { |
| 51 | - xsltTransformError(NULL, NULL, NULL, |
| 52 | - "xsltLoadStyleDocument: read rights for %s denied\n", |
| 53 | - URI); |
| 54 | + if (res <= 0) { |
| 55 | + if (res == 0) |
| 56 | + xsltTransformError(NULL, NULL, NULL, |
| 57 | + "xsltLoadStyleDocument: read rights for %s denied\n", |
| 58 | + URI); |
| 59 | return(NULL); |
| 60 | } |
| 61 | } |
| 62 | diff --git a/libxslt/imports.c b/libxslt/imports.c |
| 63 | index 874870cc..3783b247 100644 |
| 64 | --- a/libxslt/imports.c |
| 65 | +++ b/libxslt/imports.c |
| 66 | @@ -130,10 +130,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) { |
| 67 | int secres; |
| 68 | |
| 69 | secres = xsltCheckRead(sec, NULL, URI); |
| 70 | - if (secres == 0) { |
| 71 | - xsltTransformError(NULL, NULL, NULL, |
| 72 | - "xsl:import: read rights for %s denied\n", |
| 73 | - URI); |
| 74 | + if (secres <= 0) { |
| 75 | + if (secres == 0) |
| 76 | + xsltTransformError(NULL, NULL, NULL, |
| 77 | + "xsl:import: read rights for %s denied\n", |
| 78 | + URI); |
| 79 | goto error; |
| 80 | } |
| 81 | } |
| 82 | diff --git a/libxslt/transform.c b/libxslt/transform.c |
| 83 | index 13793914..0636dbd0 100644 |
| 84 | --- a/libxslt/transform.c |
| 85 | +++ b/libxslt/transform.c |
| 86 | @@ -3493,10 +3493,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node, |
| 87 | */ |
| 88 | if (ctxt->sec != NULL) { |
| 89 | ret = xsltCheckWrite(ctxt->sec, ctxt, filename); |
| 90 | - if (ret == 0) { |
| 91 | - xsltTransformError(ctxt, NULL, inst, |
| 92 | - "xsltDocumentElem: write rights for %s denied\n", |
| 93 | - filename); |
| 94 | + if (ret <= 0) { |
| 95 | + if (ret == 0) |
| 96 | + xsltTransformError(ctxt, NULL, inst, |
| 97 | + "xsltDocumentElem: write rights for %s denied\n", |
| 98 | + filename); |
| 99 | xmlFree(URL); |
| 100 | xmlFree(filename); |
| 101 | return; |
| 102 | diff --git a/libxslt/xslt.c b/libxslt/xslt.c |
| 103 | index 780a5ad7..a234eb79 100644 |
| 104 | --- a/libxslt/xslt.c |
| 105 | +++ b/libxslt/xslt.c |
| 106 | @@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) { |
| 107 | int res; |
| 108 | |
| 109 | res = xsltCheckRead(sec, NULL, filename); |
| 110 | - if (res == 0) { |
| 111 | - xsltTransformError(NULL, NULL, NULL, |
| 112 | - "xsltParseStylesheetFile: read rights for %s denied\n", |
| 113 | - filename); |
| 114 | + if (res <= 0) { |
| 115 | + if (res == 0) |
| 116 | + xsltTransformError(NULL, NULL, NULL, |
| 117 | + "xsltParseStylesheetFile: read rights for %s denied\n", |
| 118 | + filename); |
| 119 | return(NULL); |
| 120 | } |
| 121 | } |
| 122 | -- |
| 123 | 2.20.1 |
| 124 | |