[CVE-2019-11068] Fix security framework bypasssubmit/tizen_5.0_base/20190418.021329 accepted/tizen/5.0/base/20190418.091601

xsltCheckRead and xsltCheckWrite return -1 in case of error but callers don't check for this condition and allow access. With a specially crafted URL, xsltCheckRead could be tricked into returning an error because of a supposedly invalid URL that would still be loaded succesfully later on. Fixes #12. Thanks to Felix Wilhelm for the report. Change-Id: I375321f8059fbe1558820d7ec922cd2026148764 Signed-off-by: Hyunjee Kim <hj0426.kim@samsung.com>
author: Nick Wellnhofer <wellnhofer@aevum.de> 2019-03-24 09:51:39 +0100
committer: Hyunjee Kim <hj0426.kim@samsung.com> 2019-04-18 10:26:58 +0900
commit: a66e0a13bfe5bb97011149401bf8e28d805e3c5b (patch)
tree: 048b08cdde3e06e9abcdafdd9703de03fb7413da
parent: 07bd881c7728b550d8c3930f01acfb9d58fa9396 (diff)
download: libxslt-accepted/tizen/5.0/base/20190418.091601.tar.gz
libxslt-accepted/tizen/5.0/base/20190418.091601.tar.bz2
libxslt-accepted/tizen/5.0/base/20190418.091601.zip
5 files changed, 26 insertions, 21 deletions
diff --git a/libxslt/documents.c b/libxslt/documents.c
index 3f3a7312..4aad11bb 100644
--- a/libxslt/documents.c
+++ b/libxslt/documents.c
@@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) {
 	int res;
 
 	res = xsltCheckRead(ctxt->sec, ctxt, URI);
-	if (res == 0) {
-	    xsltTransformError(ctxt, NULL, NULL,
-		 "xsltLoadDocument: read rights for %s denied\n",
-			     URI);
+	if (res <= 0) {
+            if (res == 0)
+                xsltTransformError(ctxt, NULL, NULL,
+                     "xsltLoadDocument: read rights for %s denied\n",
+                                 URI);
 	    return(NULL);
 	}
     }
@@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) {
 	int res;
 
 	res = xsltCheckRead(sec, NULL, URI);
-	if (res == 0) {
-	    xsltTransformError(NULL, NULL, NULL,
-		 "xsltLoadStyleDocument: read rights for %s denied\n",
-			     URI);
+	if (res <= 0) {
+            if (res == 0)
+                xsltTransformError(NULL, NULL, NULL,
+                     "xsltLoadStyleDocument: read rights for %s denied\n",
+                                 URI);
 	    return(NULL);
 	}
     }
diff --git a/libxslt/imports.c b/libxslt/imports.c
index 7262aab9..b62e0877 100644
--- a/libxslt/imports.c
+++ b/libxslt/imports.c
@@ -131,10 +131,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) {
 	int secres;
 
 	secres = xsltCheckRead(sec, NULL, URI);
-	if (secres == 0) {
-	    xsltTransformError(NULL, NULL, NULL,
-		 "xsl:import: read rights for %s denied\n",
-			     URI);
+	if (secres <= 0) {
+            if (secres == 0)
+                xsltTransformError(NULL, NULL, NULL,
+                     "xsl:import: read rights for %s denied\n",
+                                 URI);
 	    goto error;
 	}
     }
diff --git a/libxslt/transform.c b/libxslt/transform.c
index 560f43ca..46eef553 100644
--- a/libxslt/transform.c
+++ b/libxslt/transform.c
@@ -3485,10 +3485,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node,
      */
     if (ctxt->sec != NULL) {
 	ret = xsltCheckWrite(ctxt->sec, ctxt, filename);
-	if (ret == 0) {
-	    xsltTransformError(ctxt, NULL, inst,
-		 "xsltDocumentElem: write rights for %s denied\n",
-			     filename);
+	if (ret <= 0) {
+            if (ret == 0)
+                xsltTransformError(ctxt, NULL, inst,
+                     "xsltDocumentElem: write rights for %s denied\n",
+                                 filename);
 	    xmlFree(URL);
 	    xmlFree(filename);
 	    return;
diff --git a/libxslt/xslt.c b/libxslt/xslt.c
index 54a39de9..359913e4 100644
--- a/libxslt/xslt.c
+++ b/libxslt/xslt.c
@@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) {
 	int res;
 
 	res = xsltCheckRead(sec, NULL, filename);
-	if (res == 0) {
-	    xsltTransformError(NULL, NULL, NULL,
-		 "xsltParseStylesheetFile: read rights for %s denied\n",
-			     filename);
+	if (res <= 0) {
+            if (res == 0)
+                xsltTransformError(NULL, NULL, NULL,
+                     "xsltParseStylesheetFile: read rights for %s denied\n",
+                                 filename);
 	    return(NULL);
 	}
     }
diff --git a/packaging/libxslt.spec b/packaging/libxslt.spec
index b9ea7233..0a362a08 100644
--- a/packaging/libxslt.spec
+++ b/packaging/libxslt.spec
@@ -6,7 +6,7 @@
 
 Name:           libxslt
 Version:        1.1.31
-Release:        0
+Release:        1
 Summary:        XSL Transformation Library
 License:        MIT
 Group:          System/Libraries
author	Nick Wellnhofer <wellnhofer@aevum.de>	2019-03-24 09:51:39 +0100
committer	Hyunjee Kim <hj0426.kim@samsung.com>	2019-04-18 10:26:58 +0900
commit	a66e0a13bfe5bb97011149401bf8e28d805e3c5b (patch)
tree	048b08cdde3e06e9abcdafdd9703de03fb7413da
parent	07bd881c7728b550d8c3930f01acfb9d58fa9396 (diff)
download	libxslt-accepted/tizen/5.0/base/20190418.091601.tar.gz libxslt-accepted/tizen/5.0/base/20190418.091601.tar.bz2 libxslt-accepted/tizen/5.0/base/20190418.091601.zip