5 files changed, 4 insertions, 274 deletions
diff --git a/meta/recipes-support/libxslt/files/0001-Fix-security-framework-bypass.patch b/meta/recipes-support/libxslt/files/0001-Fix-security-framework-bypass.patch
deleted file mode 100644
index 89b647ddbf..0000000000
--- a/meta/recipes-support/libxslt/files/0001-Fix-security-framework-bypass.patch
+++ /dev/null
@@ -1,124 +0,0 @@
-From e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Sun, 24 Mar 2019 09:51:39 +0100
-Subject: Fix security framework bypass
-xsltCheckRead and xsltCheckWrite return -1 in case of error but callers
-don't check for this condition and allow access. With a specially
-crafted URL, xsltCheckRead could be tricked into returning an error
-because of a supposedly invalid URL that would still be loaded
-succesfully later on.
-Fixes #12.
-Thanks to Felix Wilhelm for the report.
-Signed-off-by: Adrian Bunk <bunk@stusta.de>
-Upstream-Status: Backport
-CVE: CVE-2019-11068
---
- libxslt/documents.c | 18 ++++++++++--------
- libxslt/imports.c   |  9 +++++----
- libxslt/transform.c |  9 +++++----
- libxslt/xslt.c      |  9 +++++----
- 4 files changed, 25 insertions(+), 20 deletions(-)
-diff --git a/libxslt/documents.c b/libxslt/documents.c
-index 3f3a7312..4aad11bb 100644
--- a/libxslt/documents.c
-+++ b/libxslt/documents.c
-@@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) {
-        int res;
- 
-        res = xsltCheckRead(ctxt->sec, ctxt, URI);
-       if (res == 0) {
-           xsltTransformError(ctxt, NULL, NULL,
-                "xsltLoadDocument: read rights for %s denied\n",
-                            URI);
-+       if (res <= 0) {
-+            if (res == 0)
-+                xsltTransformError(ctxt, NULL, NULL,
-+                     "xsltLoadDocument: read rights for %s denied\n",
-+                                 URI);
-            return(NULL);
-        }
-     }
-@@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) {
-        int res;
- 
-        res = xsltCheckRead(sec, NULL, URI);
-       if (res == 0) {
-           xsltTransformError(NULL, NULL, NULL,
-                "xsltLoadStyleDocument: read rights for %s denied\n",
-                            URI);
-+       if (res <= 0) {
-+            if (res == 0)
-+                xsltTransformError(NULL, NULL, NULL,
-+                     "xsltLoadStyleDocument: read rights for %s denied\n",
-+                                 URI);
-            return(NULL);
-        }
-     }
-diff --git a/libxslt/imports.c b/libxslt/imports.c
-index 874870cc..3783b247 100644
--- a/libxslt/imports.c
-+++ b/libxslt/imports.c
-@@ -130,10 +130,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) {
-        int secres;
- 
-        secres = xsltCheckRead(sec, NULL, URI);
-       if (secres == 0) {
-           xsltTransformError(NULL, NULL, NULL,
-                "xsl:import: read rights for %s denied\n",
-                            URI);
-+       if (secres <= 0) {
-+            if (secres == 0)
-+                xsltTransformError(NULL, NULL, NULL,
-+                     "xsl:import: read rights for %s denied\n",
-+                                 URI);
-            goto error;
-        }
-     }
-diff --git a/libxslt/transform.c b/libxslt/transform.c
-index 13793914..0636dbd0 100644
--- a/libxslt/transform.c
-+++ b/libxslt/transform.c
-@@ -3493,10 +3493,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node,
-      */
-     if (ctxt->sec != NULL) {
-        ret = xsltCheckWrite(ctxt->sec, ctxt, filename);
-       if (ret == 0) {
-           xsltTransformError(ctxt, NULL, inst,
-                "xsltDocumentElem: write rights for %s denied\n",
-                            filename);
-+       if (ret <= 0) {
-+            if (ret == 0)
-+                xsltTransformError(ctxt, NULL, inst,
-+                     "xsltDocumentElem: write rights for %s denied\n",
-+                                 filename);
-            xmlFree(URL);
-            xmlFree(filename);
-            return;
-diff --git a/libxslt/xslt.c b/libxslt/xslt.c
-index 780a5ad7..a234eb79 100644
--- a/libxslt/xslt.c
-+++ b/libxslt/xslt.c
-@@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) {
-        int res;
- 
-        res = xsltCheckRead(sec, NULL, filename);
-       if (res == 0) {
-           xsltTransformError(NULL, NULL, NULL,
-                "xsltParseStylesheetFile: read rights for %s denied\n",
-                            filename);
-+       if (res <= 0) {
-+            if (res == 0)
-+                xsltTransformError(NULL, NULL, NULL,
-+                     "xsltParseStylesheetFile: read rights for %s denied\n",
-+                                 filename);
-            return(NULL);
-        }
-     }
-- 
-2.20.1
diff --git a/meta/recipes-support/libxslt/files/CVE-2019-13117.patch b/meta/recipes-support/libxslt/files/CVE-2019-13117.patch
deleted file mode 100644
index ef3f2709f7..0000000000
--- a/meta/recipes-support/libxslt/files/CVE-2019-13117.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From c5eb6cf3aba0af048596106ed839b4ae17ecbcb1 Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Sat, 27 Apr 2019 11:19:48 +0200
-Subject: [PATCH] Fix uninitialized read of xsl:number token
-Found by OSS-Fuzz.
-CVE: CVE-2019-13117
-Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1]
-Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
- libxslt/numbers.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-diff --git a/libxslt/numbers.c b/libxslt/numbers.c
-index 89e1f668..75c31eba 100644
--- a/libxslt/numbers.c
-+++ b/libxslt/numbers.c
-@@ -382,7 +382,10 @@ xsltNumberFormatTokenize(const xmlChar *format,
-                tokens->tokens[tokens->nTokens].token = val - 1;
-                ix += len;
-                val = xmlStringCurrentChar(NULL, format+ix, &len);
-           }
-+           } else {
-+                tokens->tokens[tokens->nTokens].token = (xmlChar)'0';
-+                tokens->tokens[tokens->nTokens].width = 1;
-+            }
-        } else if ( (val == (xmlChar)'A') ||
-                    (val == (xmlChar)'a') ||
-                    (val == (xmlChar)'I') ||
-- 
-2.21.0
diff --git a/meta/recipes-support/libxslt/files/CVE-2019-13118.patch b/meta/recipes-support/libxslt/files/CVE-2019-13118.patch
deleted file mode 100644
index 595e6c2f33..0000000000
--- a/meta/recipes-support/libxslt/files/CVE-2019-13118.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From 6ce8de69330783977dd14f6569419489875fb71b Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Mon, 3 Jun 2019 13:14:45 +0200
-Subject: [PATCH] Fix uninitialized read with UTF-8 grouping chars
-The character type in xsltFormatNumberConversion was too narrow and
-an invalid character/length combination could be passed to
-xsltNumberFormatDecimal, resulting in an uninitialized read.
-Found by OSS-Fuzz.
-CVE: CVE-2019-13118
-Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b]
-Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
- libxslt/numbers.c         | 5 +++--
- tests/docs/bug-222.xml    | 1 +
- tests/general/bug-222.out | 2 ++
- tests/general/bug-222.xsl | 6 ++++++
- 4 files changed, 12 insertions(+), 2 deletions(-)
- create mode 100644 tests/docs/bug-222.xml
- create mode 100644 tests/general/bug-222.out
- create mode 100644 tests/general/bug-222.xsl
-diff --git a/libxslt/numbers.c b/libxslt/numbers.c
-index f1ed8846..20b99d5a 100644
--- a/libxslt/numbers.c
-+++ b/libxslt/numbers.c
-@@ -1298,13 +1298,14 @@ OUTPUT_NUMBER:
-     number = floor((scale * number + 0.5)) / scale;
-     if ((self->grouping != NULL) &&
-         (self->grouping[0] != 0)) {
-+        int gchar;
- 
-        len = xmlStrlen(self->grouping);
-       pchar = xsltGetUTF8Char(self->grouping, &len);
-+       gchar = xsltGetUTF8Char(self->grouping, &len);
-        xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
-                                format_info.integer_digits,
-                                format_info.group,
-                               pchar, len);
-+                               gchar, len);
-     } else
-        xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
-                                format_info.integer_digits,
-diff --git a/tests/docs/bug-222.xml b/tests/docs/bug-222.xml
-new file mode 100644
-index 00000000..69d62f2c
--- /dev/null
-+++ b/tests/docs/bug-222.xml
-@@ -0,0 +1 @@
-+<doc/>
-diff --git a/tests/general/bug-222.out b/tests/general/bug-222.out
-new file mode 100644
-index 00000000..e3139698
--- /dev/null
-+++ b/tests/general/bug-222.out
-@@ -0,0 +1,2 @@
-+<?xml version="1.0"?>
-+1⠢0
-diff --git a/tests/general/bug-222.xsl b/tests/general/bug-222.xsl
-new file mode 100644
-index 00000000..e32dc473
--- /dev/null
-+++ b/tests/general/bug-222.xsl
-@@ -0,0 +1,6 @@
-+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
-+  <xsl:decimal-format name="f" grouping-separator="⠢"/>
-+  <xsl:template match="/">
-+    <xsl:value-of select="format-number(10,'#⠢0','f')"/>
-+  </xsl:template>
-+</xsl:stylesheet>
-- 
-2.21.0
diff --git a/meta/recipes-support/libxslt/files/CVE-2019-18197.patch b/meta/recipes-support/libxslt/files/CVE-2019-18197.patch
deleted file mode 100644
index 5f2b620396..0000000000
--- a/meta/recipes-support/libxslt/files/CVE-2019-18197.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-libxslt: fix CVE-2019-18197
-Added after 1.1.33 release.
-CVE: CVE-2019-18197
-Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt.git]
-Signed-off-by: Joe Slater <joe.slater@windriver.com>
-commit 2232473733b7313d67de8836ea3b29eec6e8e285
-Author: Nick Wellnhofer <wellnhofer@aevum.de>
-Date:   Sat Aug 17 16:51:53 2019 +0200
-    Fix dangling pointer in xsltCopyText
-    
-    xsltCopyText didn't reset ctxt->lasttext in some cases which could
-    lead to various memory errors in relation with CDATA sections in input
-    documents.
-    
-    Found by OSS-Fuzz.
-diff --git a/libxslt/transform.c b/libxslt/transform.c
-index 95ebd07..d7ab0b6 100644
--- a/libxslt/transform.c
-+++ b/libxslt/transform.c
-@@ -1094,6 +1094,8 @@ xsltCopyText(xsltTransformContextPtr ctxt, xmlNodePtr target,
-            if ((copy->content = xmlStrdup(cur->content)) == NULL)
-                return NULL;
-        }
-+
-+       ctxt->lasttext = NULL;
-     } else {
-         /*
-         * normal processing. keep counters to extend the text node
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.33.bb b/meta/recipes-support/libxslt/libxslt_1.1.34.bb
index 9f268e7bb0..ad37b5a44a 100644
--- a/meta/recipes-support/libxslt/libxslt_1.1.33.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.34.bb
@@ -9,14 +9,10 @@ SECTION = "libs"
 DEPENDS = "libxml2"
 SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz \
-           file://0001-Fix-security-framework-bypass.patch \
+          "
-           file://CVE-2019-13117.patch \
-           file://CVE-2019-13118.patch \
+SRC_URI[md5sum] = "db8765c8d076f1b6caafd9f2542a304a"
-           file://CVE-2019-18197.patch \
+SRC_URI[sha256sum] = "98b1bd46d6792925ad2dfe9a87452ea2adebf69dcb9919ffd55bf926a7f93f7f"
-"
-SRC_URI[md5sum] = "b3bd254a03e46d58f8ad1e4559cd2c2f"
-SRC_URI[sha256sum] = "8e36605144409df979cab43d835002f63988f3dc94d5d3537c12796db90e38c8"
 UPSTREAM_CHECK_REGEX = "libxslt-(?P<pver>\d+(\.\d+)+)\.tar"

diff --git a/meta/recipes-support/libxslt/files/0001-Fix-security-framework-bypass.patch b/meta/recipes-support/libxslt/files/0001-Fix-security-framework-bypass.patch deleted file mode 100644 index 89b647ddbf..0000000000 --- a/meta/recipes-support/libxslt/files/0001-Fix-security-framework-bypass.patch +++ /dev/null
@@ -1,124 +0,0 @@
1	From e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 Mon Sep 17 00:00:00 2001
2	From: Nick Wellnhofer <wellnhofer@aevum.de>
3	Date: Sun, 24 Mar 2019 09:51:39 +0100
4	Subject: Fix security framework bypass
5
6	xsltCheckRead and xsltCheckWrite return -1 in case of error but callers
7	don't check for this condition and allow access. With a specially
8	crafted URL, xsltCheckRead could be tricked into returning an error
9	because of a supposedly invalid URL that would still be loaded
10	succesfully later on.
11
12	Fixes #12.
13
14	Thanks to Felix Wilhelm for the report.
15
16	Signed-off-by: Adrian Bunk <bunk@stusta.de>
17	Upstream-Status: Backport
18	CVE: CVE-2019-11068
19	---
20	libxslt/documents.c \| 18 ++++++++++--------
21	libxslt/imports.c \| 9 +++++----
22	libxslt/transform.c \| 9 +++++----
23	libxslt/xslt.c \| 9 +++++----
24	4 files changed, 25 insertions(+), 20 deletions(-)
25
26	diff --git a/libxslt/documents.c b/libxslt/documents.c
27	index 3f3a7312..4aad11bb 100644
28	--- a/libxslt/documents.c
29	+++ b/libxslt/documents.c
30	@@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) {
31	int res;
32
33	res = xsltCheckRead(ctxt->sec, ctxt, URI);
34	- if (res == 0) {
35	- xsltTransformError(ctxt, NULL, NULL,
36	- "xsltLoadDocument: read rights for %s denied\n",
37	- URI);
38	+ if (res <= 0) {
39	+ if (res == 0)
40	+ xsltTransformError(ctxt, NULL, NULL,
41	+ "xsltLoadDocument: read rights for %s denied\n",
42	+ URI);
43	return(NULL);
44	}
45	}
46	@@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) {
47	int res;
48
49	res = xsltCheckRead(sec, NULL, URI);
50	- if (res == 0) {
51	- xsltTransformError(NULL, NULL, NULL,
52	- "xsltLoadStyleDocument: read rights for %s denied\n",
53	- URI);
54	+ if (res <= 0) {
55	+ if (res == 0)
56	+ xsltTransformError(NULL, NULL, NULL,
57	+ "xsltLoadStyleDocument: read rights for %s denied\n",
58	+ URI);
59	return(NULL);
60	}
61	}
62	diff --git a/libxslt/imports.c b/libxslt/imports.c
63	index 874870cc..3783b247 100644
64	--- a/libxslt/imports.c
65	+++ b/libxslt/imports.c
66	@@ -130,10 +130,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) {
67	int secres;
68
69	secres = xsltCheckRead(sec, NULL, URI);
70	- if (secres == 0) {
71	- xsltTransformError(NULL, NULL, NULL,
72	- "xsl:import: read rights for %s denied\n",
73	- URI);
74	+ if (secres <= 0) {
75	+ if (secres == 0)
76	+ xsltTransformError(NULL, NULL, NULL,
77	+ "xsl:import: read rights for %s denied\n",
78	+ URI);
79	goto error;
80	}
81	}
82	diff --git a/libxslt/transform.c b/libxslt/transform.c
83	index 13793914..0636dbd0 100644
84	--- a/libxslt/transform.c
85	+++ b/libxslt/transform.c
86	@@ -3493,10 +3493,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node,
87	*/
88	if (ctxt->sec != NULL) {
89	ret = xsltCheckWrite(ctxt->sec, ctxt, filename);
90	- if (ret == 0) {
91	- xsltTransformError(ctxt, NULL, inst,
92	- "xsltDocumentElem: write rights for %s denied\n",
93	- filename);
94	+ if (ret <= 0) {
95	+ if (ret == 0)
96	+ xsltTransformError(ctxt, NULL, inst,
97	+ "xsltDocumentElem: write rights for %s denied\n",
98	+ filename);
99	xmlFree(URL);
100	xmlFree(filename);
101	return;
102	diff --git a/libxslt/xslt.c b/libxslt/xslt.c
103	index 780a5ad7..a234eb79 100644
104	--- a/libxslt/xslt.c
105	+++ b/libxslt/xslt.c
106	@@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) {
107	int res;
108
109	res = xsltCheckRead(sec, NULL, filename);
110	- if (res == 0) {
111	- xsltTransformError(NULL, NULL, NULL,
112	- "xsltParseStylesheetFile: read rights for %s denied\n",
113	- filename);
114	+ if (res <= 0) {
115	+ if (res == 0)
116	+ xsltTransformError(NULL, NULL, NULL,
117	+ "xsltParseStylesheetFile: read rights for %s denied\n",
118	+ filename);
119	return(NULL);
120	}
121	}
122	--
123	2.20.1
124


diff --git a/meta/recipes-support/libxslt/files/CVE-2019-13117.patch b/meta/recipes-support/libxslt/files/CVE-2019-13117.patch deleted file mode 100644 index ef3f2709f7..0000000000 --- a/meta/recipes-support/libxslt/files/CVE-2019-13117.patch +++ /dev/null
@@ -1,33 +0,0 @@
1	From c5eb6cf3aba0af048596106ed839b4ae17ecbcb1 Mon Sep 17 00:00:00 2001
2	From: Nick Wellnhofer <wellnhofer@aevum.de>
3	Date: Sat, 27 Apr 2019 11:19:48 +0200
4	Subject: [PATCH] Fix uninitialized read of xsl:number token
5
6	Found by OSS-Fuzz.
7
8	CVE: CVE-2019-13117
9	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1]
10	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
11	---
12	libxslt/numbers.c \| 5 ++++-
13	1 file changed, 4 insertions(+), 1 deletion(-)
14
15	diff --git a/libxslt/numbers.c b/libxslt/numbers.c
16	index 89e1f668..75c31eba 100644
17	--- a/libxslt/numbers.c
18	+++ b/libxslt/numbers.c
19	@@ -382,7 +382,10 @@ xsltNumberFormatTokenize(const xmlChar *format,
20	tokens->tokens[tokens->nTokens].token = val - 1;
21	ix += len;
22	val = xmlStringCurrentChar(NULL, format+ix, &len);
23	- }
24	+ } else {
25	+ tokens->tokens[tokens->nTokens].token = (xmlChar)'0';
26	+ tokens->tokens[tokens->nTokens].width = 1;
27	+ }
28	} else if ( (val == (xmlChar)'A') \|\|
29	(val == (xmlChar)'a') \|\|
30	(val == (xmlChar)'I') \|\|
31	--
32	2.21.0
33


diff --git a/meta/recipes-support/libxslt/files/CVE-2019-13118.patch b/meta/recipes-support/libxslt/files/CVE-2019-13118.patch deleted file mode 100644 index 595e6c2f33..0000000000 --- a/meta/recipes-support/libxslt/files/CVE-2019-13118.patch +++ /dev/null
@@ -1,76 +0,0 @@
1	From 6ce8de69330783977dd14f6569419489875fb71b Mon Sep 17 00:00:00 2001
2	From: Nick Wellnhofer <wellnhofer@aevum.de>
3	Date: Mon, 3 Jun 2019 13:14:45 +0200
4	Subject: [PATCH] Fix uninitialized read with UTF-8 grouping chars
5
6	The character type in xsltFormatNumberConversion was too narrow and
7	an invalid character/length combination could be passed to
8	xsltNumberFormatDecimal, resulting in an uninitialized read.
9
10	Found by OSS-Fuzz.
11
12	CVE: CVE-2019-13118
13	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b]
14	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
15
16	---
17	libxslt/numbers.c \| 5 +++--
18	tests/docs/bug-222.xml \| 1 +
19	tests/general/bug-222.out \| 2 ++
20	tests/general/bug-222.xsl \| 6 ++++++
21	4 files changed, 12 insertions(+), 2 deletions(-)
22	create mode 100644 tests/docs/bug-222.xml
23	create mode 100644 tests/general/bug-222.out
24	create mode 100644 tests/general/bug-222.xsl
25
26	diff --git a/libxslt/numbers.c b/libxslt/numbers.c
27	index f1ed8846..20b99d5a 100644
28	--- a/libxslt/numbers.c
29	+++ b/libxslt/numbers.c
30	@@ -1298,13 +1298,14 @@ OUTPUT_NUMBER:
31	number = floor((scale * number + 0.5)) / scale;
32	if ((self->grouping != NULL) &&
33	(self->grouping[0] != 0)) {
34	+ int gchar;
35
36	len = xmlStrlen(self->grouping);
37	- pchar = xsltGetUTF8Char(self->grouping, &len);
38	+ gchar = xsltGetUTF8Char(self->grouping, &len);
39	xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
40	format_info.integer_digits,
41	format_info.group,
42	- pchar, len);
43	+ gchar, len);
44	} else
45	xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
46	format_info.integer_digits,
47	diff --git a/tests/docs/bug-222.xml b/tests/docs/bug-222.xml
48	new file mode 100644
49	index 00000000..69d62f2c
50	--- /dev/null
51	+++ b/tests/docs/bug-222.xml
52	@@ -0,0 +1 @@
53	+<doc/>
54	diff --git a/tests/general/bug-222.out b/tests/general/bug-222.out
55	new file mode 100644
56	index 00000000..e3139698
57	--- /dev/null
58	+++ b/tests/general/bug-222.out
59	@@ -0,0 +1,2 @@
60	+<?xml version="1.0"?>
61	+1⠢0
62	diff --git a/tests/general/bug-222.xsl b/tests/general/bug-222.xsl
63	new file mode 100644
64	index 00000000..e32dc473
65	--- /dev/null
66	+++ b/tests/general/bug-222.xsl
67	@@ -0,0 +1,6 @@
68	+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
69	+ <xsl:decimal-format name="f" grouping-separator="⠢"/>
70	+ <xsl:template match="/">
71	+ <xsl:value-of select="format-number(10,'#⠢0','f')"/>
72	+ </xsl:template>
73	+</xsl:stylesheet>
74	--
75	2.21.0
76


diff --git a/meta/recipes-support/libxslt/files/CVE-2019-18197.patch b/meta/recipes-support/libxslt/files/CVE-2019-18197.patch deleted file mode 100644 index 5f2b620396..0000000000 --- a/meta/recipes-support/libxslt/files/CVE-2019-18197.patch +++ /dev/null
@@ -1,33 +0,0 @@
1	libxslt: fix CVE-2019-18197
2
3	Added after 1.1.33 release.
4
5	CVE: CVE-2019-18197
6	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt.git]
7	Signed-off-by: Joe Slater <joe.slater@windriver.com>
8
9	commit 2232473733b7313d67de8836ea3b29eec6e8e285
10	Author: Nick Wellnhofer <wellnhofer@aevum.de>
11	Date: Sat Aug 17 16:51:53 2019 +0200
12
13	Fix dangling pointer in xsltCopyText
14
15	xsltCopyText didn't reset ctxt->lasttext in some cases which could
16	lead to various memory errors in relation with CDATA sections in input
17	documents.
18
19	Found by OSS-Fuzz.
20
21	diff --git a/libxslt/transform.c b/libxslt/transform.c
22	index 95ebd07..d7ab0b6 100644
23	--- a/libxslt/transform.c
24	+++ b/libxslt/transform.c
25	@@ -1094,6 +1094,8 @@ xsltCopyText(xsltTransformContextPtr ctxt, xmlNodePtr target,
26	if ((copy->content = xmlStrdup(cur->content)) == NULL)
27	return NULL;
28	}
29	+
30	+ ctxt->lasttext = NULL;
31	} else {
32	/*
33	* normal processing. keep counters to extend the text node


diff --git a/meta/recipes-support/libxslt/libxslt_1.1.33.bb b/meta/recipes-support/libxslt/libxslt_1.1.34.bb index 9f268e7bb0..ad37b5a44a 100644 --- a/meta/recipes-support/libxslt/libxslt_1.1.33.bb +++ b/meta/recipes-support/libxslt/libxslt_1.1.34.bb
@@ -9,14 +9,10 @@ SECTION = "libs"
9	DEPENDS = "libxml2"	9	DEPENDS = "libxml2"
10		10
11	SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz \	11	SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz \
12	file://0001-Fix-security-framework-bypass.patch \	12	"
13	file://CVE-2019-13117.patch \	13
14	file://CVE-2019-13118.patch \	14	SRC_URI[md5sum] = "db8765c8d076f1b6caafd9f2542a304a"
15	file://CVE-2019-18197.patch \	15	SRC_URI[sha256sum] = "98b1bd46d6792925ad2dfe9a87452ea2adebf69dcb9919ffd55bf926a7f93f7f"
16	"
17
18	SRC_URI[md5sum] = "b3bd254a03e46d58f8ad1e4559cd2c2f"
19	SRC_URI[sha256sum] = "8e36605144409df979cab43d835002f63988f3dc94d5d3537c12796db90e38c8"
20		16
21	UPSTREAM_CHECK_REGEX = "libxslt-(?P<pver>\d+(\.\d+)+)\.tar"	17	UPSTREAM_CHECK_REGEX = "libxslt-(?P<pver>\d+(\.\d+)+)\.tar"
22		18