diff options
author | Nick Wellnhofer <wellnhofer@aevum.de> | 2021-06-12 20:02:53 +0200 |
---|---|---|
committer | DongHun Kwak <dh0128.kwak@samsung.com> | 2023-01-12 10:49:22 +0900 |
commit | dde2f731faa5f53f416d96ba738b03034038b0d1 (patch) | |
tree | 8c9651dd078214865239b83091775ec151ec34f1 /libxslt.m4 | |
parent | 52575733efa1b63a3f5fa615821c38c54387d409 (diff) | |
download | libxslt-accepted/tizen_6.0_base_tool.tar.gz libxslt-accepted/tizen_6.0_base_tool.tar.bz2 libxslt-accepted/tizen_6.0_base_tool.zip |
[CVE-2021-30560] Fix use-after-free in xsltApplyTemplatessubmit/tizen_6.0_base/20230112.235416accepted/tizen/6.0/base/tool/20230116.011857accepted/tizen/6.0/base/20230713.142924tizen_6.0_baseaccepted/tizen_6.0_base_toolaccepted/tizen_6.0_base
xsltApplyTemplates without a select expression could delete nodes in
the source document.
1. Text nodes with strippable whitespace
Whitespace from input documents is already stripped, so there's no
need to strip it again. Under certain circumstances, xsltApplyTemplates
could be fooled into deleting text nodes that are still referenced,
resulting in a use-after-free.
2. The DTD
The DTD was only unlinked, but there's no good reason to do this just
now. Maybe it was meant as a micro-optimization.
3. Unknown nodes
Useless and dangerous as well, especially with XInclude nodes.
See https://gitlab.gnome.org/GNOME/libxml2/-/issues/268
Simply stop trying to uselessly delete nodes when applying a template.
This part of the code is probably a leftover from a time where
xsltApplyStripSpaces wasn't implemented yet. Also note that
xsltApplyTemplates with a select expression never tried to delete
nodes.
Also stop xsltDefaultProcessOneNode from deleting nodes for the same
reasons.
This fixes CVE-2021-30560.
Change-Id: I2931b52883f49f2a22b6b984cabb22f0af7b99e8
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
Diffstat (limited to 'libxslt.m4')
0 files changed, 0 insertions, 0 deletions