dev-libs/libxslt: apply several upstream patches, bug #558822

Apply security fixes, bug #558822 as well as patches from upstream as listed in debian package. Also rework python detection with AM_PATH_PYTHON for easier multiple python support in the future. Handle examples like in libxml2. Package-Manager: portage-2.2.24
johu · Nov 11, 2015 · aebffaa · aebffaa
1 parent 9e6a255
commit aebffaa
Show file tree

Hide file tree

Showing 8 changed files with 659 additions and 0 deletions.
diff --git a/dev-libs/libxslt/files/libxslt-1.1.28-attribute-type-preprocessing.patch b/dev-libs/libxslt/files/libxslt-1.1.28-attribute-type-preprocessing.patch
@@ -0,0 +1,29 @@
+From 7ca19df892ca22d9314e95d59ce2abdeff46b617 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <[email protected]>
+Date: Thu, 29 Oct 2015 19:33:23 +0800
+Subject: Fix for type confusion in preprocessing attributes
+
+CVE-2015-7995 http://www.openwall.com/lists/oss-security/2015/10/27/10
+We need to check that the parent node is an element before dereferencing
+its namespace
+---
+ libxslt/preproc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libxslt/preproc.c b/libxslt/preproc.c
+index 0eb80a0..7f69325 100644
+--- a/libxslt/preproc.c
++++ b/libxslt/preproc.c
+@@ -2249,7 +2249,8 @@ xsltStylePreCompute(xsltStylesheetPtr style, xmlNodePtr inst) {
+ 	} else if (IS_XSLT_NAME(inst, "attribute")) {
+ 	    xmlNodePtr parent = inst->parent;
+
+-	    if ((parent == NULL) || (parent->ns == NULL) ||
++	    if ((parent == NULL) ||
++	        (parent->type != XML_ELEMENT_NODE) || (parent->ns == NULL) ||
+ 		((parent->ns != inst->ns) &&
+ 		 (!xmlStrEqual(parent->ns->href, inst->ns->href))) ||
+ 		(!xmlStrEqual(parent->name, BAD_CAST "attribute-set"))) {
+-- 
+cgit v0.11.2
+
diff --git a/dev-libs/libxslt/files/libxslt-1.1.28-broken-fprintf-parameters.patch b/dev-libs/libxslt/files/libxslt-1.1.28-broken-fprintf-parameters.patch
@@ -0,0 +1,52 @@
+From 90e8b9066d877e040e791bbf206db0e5653e017a Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <[email protected]>
+Date: Wed, 30 Jan 2013 17:31:37 +0100
+Subject: Fix a couple of places where (f)printf parameters were broken
+
+As reported by Thomas Jarosch <[email protected]>
+---
+ python/libxslt.c    | 10 +++++-----
+ xsltproc/xsltproc.c |  2 +-
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/python/libxslt.c b/python/libxslt.c
+index 6a4f1c3..8dd6c78 100644
+--- a/python/libxslt.c
++++ b/python/libxslt.c
+@@ -356,15 +356,15 @@ libxslt_xsltRegisterExtModuleElement(PyObject *self ATTRIBUTE_UNUSED,
+     PyObject *pyobj_element_f;
+     PyObject *pyobj_precomp_f;
+
+-#ifdef DEBUG_EXTENSIONS
+-    printf("libxslt_xsltRegisterExtModuleElement called\n",
+-	   name, ns_uri);
+-#endif
+-
+     if (!PyArg_ParseTuple(args, (char *)"szOO:registerExtModuleElement",
+ 		          &name, &ns_uri, &pyobj_precomp_f, &pyobj_element_f))
+         return(NULL);
+
++#ifdef DEBUG_EXTENSIONS
++    printf("libxslt_xsltRegisterExtModuleElement called: %s %s\n",
++	   name, ns_uri);
++#endif
++
+     if ((name == NULL) || (pyobj_element_f == NULL) || (pyobj_precomp_f == NULL)) {
+ 	py_retval = libxml_intWrap(-1);
+ 	return(py_retval);
+diff --git a/xsltproc/xsltproc.c b/xsltproc/xsltproc.c
+index 35f37e8..dfd6d31 100644
+--- a/xsltproc/xsltproc.c
++++ b/xsltproc/xsltproc.c
+@@ -319,7 +319,7 @@ static void endTimer(char *format, ...)
+     va_start(ap, format);
+     vfprintf(stderr,format,ap);
+     va_end(ap);
+-    fprintf(stderr, " was not timed\n", msec);
++    fprintf(stderr, " was not timed\n");
+ #else
+   /* We don't have gettimeofday, time or stdarg.h, what crazy world is
+    * this ?!
+-- 
+cgit v0.11.2
+
diff --git a/dev-libs/libxslt/files/libxslt-1.1.28-disable-static-modules.patch b/dev-libs/libxslt/files/libxslt-1.1.28-disable-static-modules.patch
@@ -0,0 +1,33 @@
+From 06c9dba42097b06a18c81bb54a8da8b2bfaf991d Mon Sep 17 00:00:00 2001
+From: Gilles Dartiguelongue <[email protected]>
+Date: Wed, 11 Nov 2015 20:01:14 +0100
+Subject: [PATCH 3/3] Disable static module for python module
+
+---
+ python/Makefile.am | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/python/Makefile.am b/python/Makefile.am
+index cc13c62..62afd1b 100644
+--- a/python/Makefile.am
++++ b/python/Makefile.am
+@@ -27,6 +27,7 @@ python_PYTHON = libxslt.py
+ pyexec_LTLIBRARIES = libxsltmod.la
+
+ libxsltmod_la_CPPFLAGS = \
++	-shared \
+ 	-I$(top_srcdir)/libxslt \
+ 	-I$(top_srcdir) \
+ 	-I$(top_srcdir)/libexslt \
+@@ -34,7 +35,7 @@ libxsltmod_la_CPPFLAGS = \
+ libxsltmod_la_SOURCES = libxslt.c types.c
+ nodist_libxsltmod_la_SOURCES = libxslt-py.c
+ libxsltmod_la_LIBADD = $(mylibs) $(PYTHON_LIBS)
+-libxsltmod_la_LDFLAGS =  $(WIN32_EXTRA_LDFLAGS) $(PYTHON_LDFLAGS) -module -avoid-version
++libxsltmod_la_LDFLAGS =  $(WIN32_EXTRA_LDFLAGS) $(PYTHON_LDFLAGS) -module -avoid-version -shared
+
+ libxslt.py: $(srcdir)/libxsl.py libxsltclass.py
+ 	cat $(srcdir)/libxsl.py libxsltclass.py > $@
+-- 
+2.6.3
+
diff --git a/dev-libs/libxslt/files/libxslt-1.1.28-exslt-str-replace.patch b/dev-libs/libxslt/files/libxslt-1.1.28-exslt-str-replace.patch
@@ -0,0 +1,42 @@
+From ae49d7a73b043bccb7631e7d9577bcaa0bbf8528 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <[email protected]>
+Date: Mon, 1 Jul 2013 21:10:10 +0800
+Subject: EXSLT function str:replace() is broken as-is
+
+the str:replace() function is no longer usable without a transform
+context. I take it from the bug report that it is not supposed to be used
+from plain XPath but only from XSLT according to the EXSLT specification.
+
+However, the previous implementation used to work in XPath and is still
+registered on an xmlXPathContext by the exsltStrXpathCtxtRegister()
+function. When called from plain XPath, it results in a memory error in
+line 526 (exsltStrReturnString()) of strings.c because xsltCreateRVT()
+returns NULL as an error indicator due to a NULL transform context being
+passed in, which was the return value from xsltXPathGetTransformContext() a
+bit further up (and the code doesn't validate that).
+
+Since fixing the function looks impossible, best is to remove it.
+---
+ libexslt/strings.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/libexslt/strings.c b/libexslt/strings.c
+index 045cc14..c0c7a18 100644
+--- a/libexslt/strings.c
++++ b/libexslt/strings.c
+@@ -838,11 +838,7 @@ exsltStrXpathCtxtRegister (xmlXPathContextPtr ctxt, const xmlChar *prefix)
+         && !xmlXPathRegisterFuncNS(ctxt,
+                                    (const xmlChar *) "concat",
+                                    (const xmlChar *) EXSLT_STRINGS_NAMESPACE,
+-                                   exsltStrConcatFunction)
+-        && !xmlXPathRegisterFuncNS(ctxt,
+-                                   (const xmlChar *) "replace",
+-                                   (const xmlChar *) EXSLT_STRINGS_NAMESPACE,
+-                                   exsltStrReplaceFunction)) {
++                                   exsltStrConcatFunction)) {
+         return 0;
+     }
+     return -1;
+-- 
+cgit v0.11.2
+
diff --git a/dev-libs/libxslt/files/libxslt-1.1.28-fix-quoting-xlocale.patch b/dev-libs/libxslt/files/libxslt-1.1.28-fix-quoting-xlocale.patch
@@ -0,0 +1,47 @@
+From 0a1a5f8c67c90637f0ea3fdc9ec35280d54878d8 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <[email protected]>
+Date: Tue, 30 Jul 2013 13:57:28 +0200
+Subject: Fix quoting of xlocale test program in configure.in
+
+Double square brackets aren't needed anymore, probably due to the
+changes in commit a2cd8a03.
+---
+ configure.in | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/configure.in b/configure.in
+index fc8d5a8..dcbd971 100644
+--- a/configure.in
++++ b/configure.in
+@@ -196,21 +196,21 @@ typedef locale_t xsltLocale;
+ #endif
+ ]],[[
+     xsltLocale locale;
+-    const char *src[[2]] = { "\xc3\x84rger", "Zeppelin" };
+-    char *dst[[2]];
++    const char *src[2] = { "\xc3\x84rger", "Zeppelin" };
++    char *dst[2];
+     size_t len, r;
+     int i;
+
+     locale = newlocale(LC_COLLATE_MASK, "en_US.utf8", NULL);
+     if (locale == NULL) exit(1);
+     for (i=0; i<2; ++i) {
+-        len = strxfrm_l(NULL, src[[i]], 0, locale) + 1;
+-        dst[[i]] = malloc(len);
+-        if(dst[[i]] == NULL) exit(1);
+-        r = strxfrm_l(dst[[i]], src[[i]], len, locale);
++        len = strxfrm_l(NULL, src[i], 0, locale) + 1;
++        dst[i] = malloc(len);
++        if(dst[i] == NULL) exit(1);
++        r = strxfrm_l(dst[i], src[i], len, locale);
+         if(r >= len) exit(1);
+     }
+-    if (strcmp(dst[[0]], dst[[1]]) >= 0) exit(1);
++    if (strcmp(dst[0], dst[1]) >= 0) exit(1);
+
+     exit(0);
+     return(0);
+-- 
+cgit v0.11.2
+
diff --git a/dev-libs/libxslt/files/libxslt-1.1.28-seed-pseudo-random-generator.patch b/dev-libs/libxslt/files/libxslt-1.1.28-seed-pseudo-random-generator.patch
@@ -0,0 +1,60 @@
+From 3fcf11ead6ad226227b0a3ef4cc6565b8d5857ff Mon Sep 17 00:00:00 2001
+From: Nils Werner <[email protected]>
+Date: Thu, 24 Jan 2013 19:44:03 +0100
+Subject: Initialize pseudo random number generator with current time or
+ optional command line parameter
+
+---
+ xsltproc/xsltproc.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/xsltproc/xsltproc.c b/xsltproc/xsltproc.c
+index dfd6d31..45adf5d 100644
+--- a/xsltproc/xsltproc.c
++++ b/xsltproc/xsltproc.c
+@@ -514,6 +514,7 @@ static void usage(const char *name) {
+     printf("\t--maxdepth val : increase the maximum depth (default %d)\n", xsltMaxDepth);
+     printf("\t--maxvars val : increase the maximum variables (default %d)\n", xsltMaxVars);
+     printf("\t--maxparserdepth val : increase the maximum parser depth\n");
++    printf("\t--seed-rand val : initialize pseudo random number generator with specific seed\n");
+ #ifdef LIBXML_HTML_ENABLED
+     printf("\t--html: the input document is(are) an HTML file(s)\n");
+ #endif
+@@ -556,6 +557,7 @@ main(int argc, char **argv)
+         return (1);
+     }
+
++    srand(time(NULL));
+     xmlInitMemory();
+
+     LIBXML_TEST_VERSION
+@@ -750,6 +752,15 @@ main(int argc, char **argv)
+                 if (value > 0)
+                     xmlParserMaxDepth = value;
+             }
++        } else if ((!strcmp(argv[i], "-seed-rand")) ||
++                   (!strcmp(argv[i], "--seed-rand"))) {
++            int value;
++
++            i++;
++            if (sscanf(argv[i], "%d", &value) == 1) {
++                if (value > 0)
++                    srand(value);
++            }
+         } else if ((!strcmp(argv[i],"-dumpextensions"))||
+ 			(!strcmp(argv[i],"--dumpextensions"))) {
+ 		dumpextensions++;
+@@ -786,6 +797,10 @@ main(int argc, char **argv)
+             (!strcmp(argv[i], "--maxparserdepth"))) {
+             i++;
+             continue;
++        } else if ((!strcmp(argv[i], "-seed-rand")) ||
++            (!strcmp(argv[i], "--seed-rand"))) {
++            i++;
++            continue;
+         } else if ((!strcmp(argv[i], "-o")) ||
+                    (!strcmp(argv[i], "-output")) ||
+                    (!strcmp(argv[i], "--output"))) {
+-- 
+cgit v0.11.2
+