[libxslt/f17] Fixes CVE-2011-1202 CVE-2011-3970 CVE-2012-2825 CVE-2012-2871 CVE-2012-2870
Daniel Veillard
veillard at fedoraproject.org
Wed Sep 12 08:29:09 UTC 2012
commit 1cb470dbbb22dc3baed9824aef29551e7f5dd5af
Author: Daniel Veillard <veillard at redhat.com>
Date: Wed Sep 12 16:28:21 2012 +0800
Fixes CVE-2011-1202 CVE-2011-3970 CVE-2012-2825 CVE-2012-2871 CVE-2012-2870
- Fix direct pattern matching bug
- Fix popping of vars in xsltCompilerNodePop
- Fix bug 602515
- Fix generate-id() to not expose object addresses (CVE-2011-1202)
- Fix some case of pattern parsing errors (CVE-2011-3970)
- Fix a bug in selecting XSLT elements (CVE-2012-2825)
- Fix portability to upcoming libxml2-2.9.0
- Fix default template processing on namespace nodes (CVE-2012-2871)
- Cleanup of the pattern compilation code (CVE-2012-2870)
- Hardening of code checking node types in various entry point (CVE-2012-2870)
- Hardening of code checking node types in EXSLT (CVE-2012-2870)
- Fix system-property with unknown namespace
- Xsltproc should return an error code if xinclude fails
- Fix a dictionary string usage
- Avoid a heap use after free error
libxslt-Avoid-a-heap-use-after-free-error.patch | 54 ++
...t-Cleanup-of-the-pattern-compilation-code.patch | 214 +++++++
libxslt-Fix-a-bug-in-selecting-XSLT-elements.patch | 32 +
libxslt-Fix-a-dictionary-string-usage.patch | 113 ++++
libxslt-Fix-bug-602515.patch | 142 +++++
...lt-template-processing-on-namespace-nodes.patch | 42 ++
libxslt-Fix-direct-pattern-matching-bug.patch | 96 ++++
...enerate-id-to-not-expose-object-addresses.patch | 66 +++
...ix-popping-of-vars-in-xsltCompilerNodePop.patch | 35 ++
...Fix-portability-to-upcoming-libxml2-2.9.0.patch | 71 +++
...t-Fix-some-case-of-pattern-parsing-errors.patch | 33 ++
...ix-system-property-with-unknown-namespace.patch | 69 +++
...ning-of-code-checking-node-types-in-EXSLT.patch | 42 ++
...hecking-node-types-in-various-entry-point.patch | 594 ++++++++++++++++++++
...ld-return-an-error-code-if-xinclude-fails.patch | 51 ++
libxslt.spec | 53 ++-
16 files changed, 1706 insertions(+), 1 deletions(-)
---
diff --git a/libxslt-Avoid-a-heap-use-after-free-error.patch b/libxslt-Avoid-a-heap-use-after-free-error.patch
new file mode 100644
index 0000000..5e557f1
--- /dev/null
+++ b/libxslt-Avoid-a-heap-use-after-free-error.patch
@@ -0,0 +1,54 @@
+From 5e1a0d7cb8f59b30506cdbaa5edf9a8bf55c48c8 Mon Sep 17 00:00:00 2001
+From: Chris Evans <cevans at chromium.org>
+Date: Mon, 3 Sep 2012 18:16:44 +0800
+Subject: [PATCH] Avoid a heap use after free error
+To: libvir-list at redhat.com
+
+For https://code.google.com/p/chromium/issues/detail?id=140368
+
+Signed-off-by: Daniel Veillard <veillard at redhat.com>
+---
+ libxslt/functions.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/libxslt/functions.c b/libxslt/functions.c
+index 01852b8..fd35dd0 100644
+--- a/libxslt/functions.c
++++ b/libxslt/functions.c
+@@ -654,6 +654,7 @@ xsltFormatNumberFunction(xmlXPathParserContextPtr ctxt, int nargs)
+ void
+ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
+ xmlNodePtr cur = NULL;
++ xmlXPathObjectPtr obj = NULL;
+ long val;
+ xmlChar str[30];
+ xmlDocPtr doc;
+@@ -661,7 +662,6 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
+ if (nargs == 0) {
+ cur = ctxt->context->node;
+ } else if (nargs == 1) {
+- xmlXPathObjectPtr obj;
+ xmlNodeSetPtr nodelist;
+ int i, ret;
+
+@@ -684,7 +684,6 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
+ if (ret == -1)
+ cur = nodelist->nodeTab[i];
+ }
+- xmlXPathFreeObject(obj);
+ } else {
+ xsltTransformError(xsltXPathGetTransformContext(ctxt), NULL, NULL,
+ "generate-id() : invalid number of args %d\n", nargs);
+@@ -707,6 +706,9 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
+
+ }
+
++ if (obj)
++ xmlXPathFreeObject(obj);
++
+ val = (long)((char *)cur - (char *)doc);
+ if (val >= 0) {
+ sprintf((char *)str, "idp%ld", val);
+--
+1.7.11.4
+
diff --git a/libxslt-Cleanup-of-the-pattern-compilation-code.patch b/libxslt-Cleanup-of-the-pattern-compilation-code.patch
new file mode 100644
index 0000000..9497e53
--- /dev/null
+++ b/libxslt-Cleanup-of-the-pattern-compilation-code.patch
@@ -0,0 +1,214 @@
+From 6360cc1a453b0962fba074797a32dc0e1dd496e4 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard at redhat.com>
+Date: Thu, 9 Aug 2012 15:31:07 +0800
+Subject: [PATCH] Cleanup of the pattern compilation code
+To: libvir-list at redhat.com
+
+Avoid potential crashes and memory leaks
+https://bugzilla.redhat.com/show_bug.cgi?id=852937
+CVE-2012-2870
+
+Signed-off-by: Daniel Veillard <veillard at redhat.com>
+---
+ libxslt/pattern.c | 53 +++++++++++++++++++++++++++++++++++++++++++++++------
+ 1 file changed, 47 insertions(+), 6 deletions(-)
+
+diff --git a/libxslt/pattern.c b/libxslt/pattern.c
+index 1155b54..a6140cb 100644
+--- a/libxslt/pattern.c
++++ b/libxslt/pattern.c
+@@ -303,6 +303,10 @@ xsltCompMatchAdd(xsltParserContextPtr ctxt, xsltCompMatchPtr comp,
+ "xsltCompMatchAdd: memory re-allocation failure.\n");
+ if (ctxt->style != NULL)
+ ctxt->style->errors++;
++ if (value)
++ xmlFree(value);
++ if (value2)
++ xmlFree(value2);
+ return (-1);
+ }
+ comp->maxStep *= 2;
+@@ -1384,17 +1388,22 @@ xsltCompileIdKeyPattern(xsltParserContextPtr ctxt, xmlChar *name,
+ NEXT;
+ SKIP_BLANKS;
+ lit = xsltScanLiteral(ctxt);
+- if (ctxt->error)
++ if (ctxt->error) {
++ xsltTransformError(NULL, NULL, NULL,
++ "xsltCompileIdKeyPattern : Literal expected\n");
+ return;
++ }
+ SKIP_BLANKS;
+ if (CUR != ')') {
+ xsltTransformError(NULL, NULL, NULL,
+ "xsltCompileIdKeyPattern : ) expected\n");
++ xmlFree(lit);
+ ctxt->error = 1;
+ return;
+ }
+ NEXT;
+ PUSH(XSLT_OP_ID, lit, NULL, novar);
++ lit = NULL;
+ } else if ((aid) && (xmlStrEqual(name, (const xmlChar *)"key"))) {
+ if (axis != 0) {
+ xsltTransformError(NULL, NULL, NULL,
+@@ -1405,8 +1414,11 @@ xsltCompileIdKeyPattern(xsltParserContextPtr ctxt, xmlChar *name,
+ NEXT;
+ SKIP_BLANKS;
+ lit = xsltScanLiteral(ctxt);
+- if (ctxt->error)
++ if (ctxt->error) {
++ xsltTransformError(NULL, NULL, NULL,
++ "xsltCompileIdKeyPattern : Literal expected\n");
+ return;
++ }
+ SKIP_BLANKS;
+ if (CUR != ',') {
+ xsltTransformError(NULL, NULL, NULL,
+@@ -1417,25 +1429,36 @@ xsltCompileIdKeyPattern(xsltParserContextPtr ctxt, xmlChar *name,
+ NEXT;
+ SKIP_BLANKS;
+ lit2 = xsltScanLiteral(ctxt);
+- if (ctxt->error)
++ if (ctxt->error) {
++ xsltTransformError(NULL, NULL, NULL,
++ "xsltCompileIdKeyPattern : Literal expected\n");
++ xmlFree(lit);
+ return;
++ }
+ SKIP_BLANKS;
+ if (CUR != ')') {
+ xsltTransformError(NULL, NULL, NULL,
+ "xsltCompileIdKeyPattern : ) expected\n");
++ xmlFree(lit);
++ xmlFree(lit2);
+ ctxt->error = 1;
+ return;
+ }
+ NEXT;
+ /* URGENT TODO: support namespace in keys */
+ PUSH(XSLT_OP_KEY, lit, lit2, novar);
++ lit = NULL;
++ lit2 = NULL;
+ } else if (xmlStrEqual(name, (const xmlChar *)"processing-instruction")) {
+ NEXT;
+ SKIP_BLANKS;
+ if (CUR != ')') {
+ lit = xsltScanLiteral(ctxt);
+- if (ctxt->error)
++ if (ctxt->error) {
++ xsltTransformError(NULL, NULL, NULL,
++ "xsltCompileIdKeyPattern : Literal expected\n");
+ return;
++ }
+ SKIP_BLANKS;
+ if (CUR != ')') {
+ xsltTransformError(NULL, NULL, NULL,
+@@ -1446,6 +1469,7 @@ xsltCompileIdKeyPattern(xsltParserContextPtr ctxt, xmlChar *name,
+ }
+ NEXT;
+ PUSH(XSLT_OP_PI, lit, NULL, novar);
++ lit = NULL;
+ } else if (xmlStrEqual(name, (const xmlChar *)"text")) {
+ NEXT;
+ SKIP_BLANKS;
+@@ -1496,8 +1520,7 @@ xsltCompileIdKeyPattern(xsltParserContextPtr ctxt, xmlChar *name,
+ return;
+ }
+ error:
+- if (name != NULL)
+- xmlFree(name);
++ return;
+ }
+
+ /**
+@@ -1560,6 +1583,8 @@ parse_node_test:
+ SKIP_BLANKS;
+ if (CUR == '(') {
+ xsltCompileIdKeyPattern(ctxt, token, 0, novar, axis);
++ xmlFree(token);
++ token = NULL;
+ if (ctxt->error)
+ goto error;
+ } else if (CUR == ':') {
+@@ -1578,20 +1603,24 @@ parse_node_test:
+ "xsltCompileStepPattern : no namespace bound to prefix %s\n",
+ prefix);
+ xmlFree(prefix);
++ prefix=NULL;
+ ctxt->error = 1;
+ goto error;
+ } else {
+ URL = xmlStrdup(ns->href);
+ }
+ xmlFree(prefix);
++ prefix=NULL;
+ if (token == NULL) {
+ if (CUR == '*') {
+ NEXT;
+ if (axis == AXIS_ATTRIBUTE) {
+ PUSH(XSLT_OP_ATTR, NULL, URL, novar);
++ URL = NULL;
+ }
+ else {
+ PUSH(XSLT_OP_NS, URL, NULL, novar);
++ URL = NULL;
+ }
+ } else {
+ xsltTransformError(NULL, NULL, NULL,
+@@ -1602,9 +1631,13 @@ parse_node_test:
+ } else {
+ if (axis == AXIS_ATTRIBUTE) {
+ PUSH(XSLT_OP_ATTR, token, URL, novar);
++ token = NULL;
++ URL = NULL;
+ }
+ else {
+ PUSH(XSLT_OP_ELEM, token, URL, novar);
++ token = NULL;
++ URL = NULL;
+ }
+ }
+ } else {
+@@ -1626,6 +1659,7 @@ parse_node_test:
+ goto error;
+ }
+ xmlFree(token);
++ token = NULL;
+ SKIP_BLANKS;
+ token = xsltScanNCName(ctxt);
+ goto parse_node_test;
+@@ -1640,9 +1674,13 @@ parse_node_test:
+ URL = xmlStrdup(URI);
+ if (axis == AXIS_ATTRIBUTE) {
+ PUSH(XSLT_OP_ATTR, token, URL, novar);
++ token = NULL;
++ URL = NULL;
+ }
+ else {
+ PUSH(XSLT_OP_ELEM, token, URL, novar);
++ token = NULL;
++ URL = NULL;
+ }
+ }
+ parse_predicate:
+@@ -1682,6 +1720,7 @@ parse_predicate:
+ }
+ ret = xmlStrndup(q, CUR_PTR - q);
+ PUSH(XSLT_OP_PREDICATE, ret, NULL, novar);
++ ret = NULL;
+ /* push the predicate lower than local test */
+ SWAP();
+ NEXT;
+@@ -1790,6 +1829,8 @@ xsltCompileLocationPathPattern(xsltParserContextPtr ctxt, int novar) {
+ SKIP_BLANKS;
+ if ((CUR == '(') && !xmlXPathIsNodeType(name)) {
+ xsltCompileIdKeyPattern(ctxt, name, 1, novar, 0);
++ xmlFree(name);
++ name = NULL;
+ if ((CUR == '/') && (NXT(1) == '/')) {
+ PUSH(XSLT_OP_ANCESTOR, NULL, NULL, novar);
+ NEXT;
+--
+1.7.11.4
+
diff --git a/libxslt-Fix-a-bug-in-selecting-XSLT-elements.patch b/libxslt-Fix-a-bug-in-selecting-XSLT-elements.patch
new file mode 100644
index 0000000..14f5c7d
--- /dev/null
+++ b/libxslt-Fix-a-bug-in-selecting-XSLT-elements.patch
@@ -0,0 +1,32 @@
+From f24fe84003e48b9bc082fa3bcbcae96b07458e08 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard at redhat.com>
+Date: Tue, 7 Aug 2012 11:26:43 +0800
+Subject: [PATCH] Fix a bug in selecting XSLT elements
+To: libvir-list at redhat.com
+
+For https://bugzilla.redhat.com/show_bug.cgi?id=835982
+CVE-2012-2825
+
+Signed-off-by: Daniel Veillard <veillard at redhat.com>
+---
+ libxslt/xsltutils.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libxslt/xsltutils.h b/libxslt/xsltutils.h
+index 3886be3..c986a9c 100644
+--- a/libxslt/xsltutils.h
++++ b/libxslt/xsltutils.h
+@@ -52,8 +52,8 @@ extern "C" {
+ * Checks that the element pertains to XSLT namespace.
+ */
+ #define IS_XSLT_ELEM(n) \
+- (((n) != NULL) && ((n)->ns != NULL) && \
+- (xmlStrEqual((n)->ns->href, XSLT_NAMESPACE)))
++ (((n) != NULL) && ((n)->type == XML_ELEMENT_NODE) && \
++ ((n)->ns != NULL) && (xmlStrEqual((n)->ns->href, XSLT_NAMESPACE)))
+
+ /**
+ * IS_XSLT_NAME:
+--
+1.7.11.4
+
diff --git a/libxslt-Fix-a-dictionary-string-usage.patch b/libxslt-Fix-a-dictionary-string-usage.patch
new file mode 100644
index 0000000..3e49717
--- /dev/null
+++ b/libxslt-Fix-a-dictionary-string-usage.patch
@@ -0,0 +1,113 @@
+From f666f7e8434f4991cb608590ed77c482c778e971 Mon Sep 17 00:00:00 2001
+From: Chris Evans <cevans at chromium.org>
+Date: Mon, 3 Sep 2012 15:50:22 +0800
+Subject: [PATCH] Fix a dictionary string usage
+To: libvir-list at redhat.com
+
+Heap-double-free in xmlFreeNodeList
+http://code.google.com/p/chromium/issues/detail?id=144799
+
+Raised in chromium, but also affecting xsltproc
+Also updated AUTHORS to list Chris and other contributors
+
+Signed-off-by: Daniel Veillard <veillard at redhat.com>
+---
+ AUTHORS | 45 ++++++++++++++++++++++++++++++++++++++++++++-
+ libxslt/templates.c | 7 +++++--
+ 2 files changed, 49 insertions(+), 3 deletions(-)
+
+diff --git a/AUTHORS b/AUTHORS
+index 094ebbc..3a70a17 100644
+--- a/AUTHORS
++++ b/AUTHORS
+@@ -5,7 +5,7 @@ Daniel Veillard:
+ Used to work at W3C, now Red Hat
+ co-chair of W3C XML Linking WG
+ invited expert on the W3C XML Core WG
+- Author of libxml upon which this library is based.
++ Author of libxml2 upon which this library is based.
+
+ Bjorn Reese:
+ breese at users.sourceforge.net
+@@ -18,3 +18,46 @@ William Brack <wbrack at mmm.com.hk>
+ Thomas Broyer <tbroyer at ltgt.net>
+
+ Igor Zlatkovic <igor at zlatkovic.com> for the Windows port
++
++Patches gently provided by a multitude of people :
++
++Abhishek Arya <inferno at chromium.org>
++Ben Walton <bwalton at artsci.utoronto.ca>
++Bjorn Reese <breese at src.gnome.org>
++C. M. Sperberg-McQueen <cmsmcq at blackmesatech.com>
++Colin Walters <walters at verbum.org>
++Daniel Mustieles <daniel.mustieles at gmail.com>
++Daniel Richard G <oss at teragram.com>
++Darin Adler <darin at src.gnome.org>
++ÉRDI Gergo <cactus at src.gnome.org>
++Fatih Demir <kabalak at src.gnome.org>
++Federico Mena Quintero <federico at ximian.com>
++Frederic Crozat <fcrozat at mandriva.com>
++Hao Hu <ihaohu at gmail.com>
++Havoc Pennington <hp at pobox.com>
++IlyaS <astro.courier at gmail.com>
++jacob berkman <jacob at ximian.com>
++Jason Viers <bean at beanalby.net>
++Jérôme Carretero <cJ-xslt at zougloub.eu>
++Joachim Breitner <nomeata at debian.org>
++Johan Dahlin <zilch at src.gnome.org>
++John Fleck <jfleck at inkstain.net>
++Jose Maria Celorio <chema at src.gnome.org>
++Julio M. Merino Vidal <jmmv at NetBSD.org>
++Kasimier T. Buchcik <kbuchcik at src.gnome.org>
++Kjartan Maraas <kmaraas at src.gnome.org>
++Laurence Rowe <l at lrowe.co.uk>
++Malcolm Purvis <malcolm at purvis.id.au>
++Martin <gzlist at googlemail.com>
++MDT 2002 John Fleck <jfleck at inkstain.net>
++Michael Bonfils <murlock42 at gmail.com>
++money_seshu Dronamraju <mcseshu at gmail.com>
++Nick Wellnhofer <wellnhofer at aevum.de>
++Nix <nix at esperi.org.uk>
++Pedro F. Giffuni <giffunip at tutopia.com>
++Peter Williams <peterw at ximian.com>
++Rob Richards <rrichard at src.gnome.org>
++Roumen Petrov <bugtrack at roumenpetrov.info>
++Stefan Kost <ensonic at users.sf.net>
++Tomasz Kłoczko <kloczek at src.gnome.org>
++Chris Evans <cevans at chromium.org>
+diff --git a/libxslt/templates.c b/libxslt/templates.c
+index 81de93c..e1289fc 100644
+--- a/libxslt/templates.c
++++ b/libxslt/templates.c
+@@ -18,6 +18,7 @@
+ #include <libxml/globals.h>
+ #include <libxml/xmlerror.h>
+ #include <libxml/tree.h>
++#include <libxml/dict.h>
+ #include <libxml/xpathInternals.h>
+ #include <libxml/parserInternals.h>
+ #include "xslt.h"
+@@ -576,7 +577,8 @@ xsltAttrTemplateProcess(xsltTransformContextPtr ctxt, xmlNodePtr target,
+ }
+ } else if ((ctxt->internalized) && (target != NULL) &&
+ (target->doc != NULL) &&
+- (target->doc->dict == ctxt->dict)) {
++ (target->doc->dict == ctxt->dict) &&
++ xmlDictOwns(ctxt->dict, value)) {
+ text->content = (xmlChar *) value;
+ } else {
+ text->content = xmlStrdup(value);
+@@ -762,7 +764,8 @@ xsltAttrListTemplateProcess(xsltTransformContextPtr ctxt,
+ }
+ } else if ((ctxt->internalized) &&
+ (target->doc != NULL) &&
+- (target->doc->dict == ctxt->dict))
++ (target->doc->dict == ctxt->dict) &&
++ xmlDictOwns(ctxt->dict, value))
+ {
+ text->content = (xmlChar *) value;
+ } else {
+--
+1.7.11.4
+
diff --git a/libxslt-Fix-bug-602515.patch b/libxslt-Fix-bug-602515.patch
new file mode 100644
index 0000000..2281f4b
--- /dev/null
+++ b/libxslt-Fix-bug-602515.patch
@@ -0,0 +1,142 @@
+From 2d7c1a88505b01f859966abbea2268d9f95ac7ed Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer at aevum.de>
+Date: Mon, 8 Nov 2010 10:59:24 +0100
+Subject: [PATCH] Fix bug 602515
+To: libvir-list at redhat.com
+
+Pattern matching with predicates
+
+Signed-off-by: Daniel Veillard <veillard at redhat.com>
+---
+ libxslt/pattern.c | 17 ++++++++---------
+ tests/docs/bug-171.xml | 4 ++++
+ tests/general/Makefile.am | 1 +
+ tests/general/bug-171.out | 2 ++
+ tests/general/bug-171.xsl | 7 +++++++
+ 5 files changed, 22 insertions(+), 9 deletions(-)
+ create mode 100644 tests/docs/bug-171.xml
+ create mode 100644 tests/general/bug-171.out
+ create mode 100644 tests/general/bug-171.xsl
+
+diff --git a/libxslt/pattern.c b/libxslt/pattern.c
+index 58bd6ed..6161376 100644
+--- a/libxslt/pattern.c
++++ b/libxslt/pattern.c
+@@ -888,11 +888,10 @@ restart:
+ (node->type == XML_ELEMENT_NODE) &&
+ (node->parent != NULL)) {
+ xmlNodePtr previous;
+- int ix, nocache = 0;
++ int nocache = 0;
+
+ previous = (xmlNodePtr)
+ XSLT_RUNTIME_EXTRA(ctxt, sel->previousExtra, ptr);
+- ix = XSLT_RUNTIME_EXTRA(ctxt, sel->indexExtra, ival);
+ if ((previous != NULL) &&
+ (previous->parent == node->parent)) {
+ /*
+@@ -904,7 +903,7 @@ restart:
+ while (sibling != NULL) {
+ if (sibling == previous)
+ break;
+- if ((previous->type == XML_ELEMENT_NODE) &&
++ if ((sibling->type == XML_ELEMENT_NODE) &&
+ (previous->name != NULL) &&
+ (sibling->name != NULL) &&
+ (previous->name[0] == sibling->name[0]) &&
+@@ -925,7 +924,7 @@ restart:
+ while (sibling != NULL) {
+ if (sibling == previous)
+ break;
+- if ((previous->type == XML_ELEMENT_NODE) &&
++ if ((sibling->type == XML_ELEMENT_NODE) &&
+ (previous->name != NULL) &&
+ (sibling->name != NULL) &&
+ (previous->name[0] == sibling->name[0]) &&
+@@ -943,7 +942,8 @@ restart:
+ }
+ }
+ if (sibling != NULL) {
+- pos = ix + indx;
++ pos = XSLT_RUNTIME_EXTRA(ctxt,
++ sel->indexExtra, ival) + indx;
+ /*
+ * If the node is in a Value Tree we need to
+ * save len, but cannot cache the node!
+@@ -959,7 +959,6 @@ restart:
+ sel->indexExtra, ival) = pos;
+ }
+ }
+- ix = pos;
+ } else
+ pos = 0;
+ } else {
+@@ -1020,11 +1019,10 @@ restart:
+ } else if ((sel != NULL) && (sel->op == XSLT_OP_ALL) &&
+ (node->type == XML_ELEMENT_NODE)) {
+ xmlNodePtr previous;
+- int ix, nocache = 0;
++ int nocache = 0;
+
+ previous = (xmlNodePtr)
+ XSLT_RUNTIME_EXTRA(ctxt, sel->previousExtra, ptr);
+- ix = XSLT_RUNTIME_EXTRA(ctxt, sel->indexExtra, ival);
+ if ((previous != NULL) &&
+ (previous->parent == node->parent)) {
+ /*
+@@ -1053,7 +1051,8 @@ restart:
+ }
+ }
+ if (sibling != NULL) {
+- pos = ix + indx;
++ pos = XSLT_RUNTIME_EXTRA(ctxt,
++ sel->indexExtra, ival) + indx;
+ /*
+ * If the node is in a Value Tree we cannot
+ * cache it !
+diff --git a/tests/docs/bug-171.xml b/tests/docs/bug-171.xml
+new file mode 100644
+index 0000000..658021b
+--- /dev/null
++++ b/tests/docs/bug-171.xml
+@@ -0,0 +1,4 @@
++<root>
++ <text>one</text>
++ <text>two</text>
++</root>
+diff --git a/tests/general/Makefile.am b/tests/general/Makefile.am
+index e33a6c6..7207e15 100644
+--- a/tests/general/Makefile.am
++++ b/tests/general/Makefile.am
+@@ -178,6 +178,7 @@ EXTRA_DIST = \
+ bug-168.out bug-168.xsl \
+ bug-169.out bug-169.xsl bug-169.imp \
+ bug-170.out bug-170.xsl \
++ bug-171.out bug-171.xsl \
+ character.out character.xsl \
+ character2.out character2.xsl \
+ itemschoose.out itemschoose.xsl \
+diff --git a/tests/general/bug-171.out b/tests/general/bug-171.out
+new file mode 100644
+index 0000000..5b87d4f
+--- /dev/null
++++ b/tests/general/bug-171.out
+@@ -0,0 +1,2 @@
++<?xml version="1.0"?>
++two
+diff --git a/tests/general/bug-171.xsl b/tests/general/bug-171.xsl
+new file mode 100644
+index 0000000..25a7c94
+--- /dev/null
++++ b/tests/general/bug-171.xsl
+@@ -0,0 +1,7 @@
++<xsl:transform version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
++ <xsl:template match="text[2]">
++ <xsl:value-of select="."/>
++ </xsl:template>
++
++ <xsl:template match="text()"/>
++</xsl:transform>
+--
+1.7.11.4
+
diff --git a/libxslt-Fix-default-template-processing-on-namespace-nodes.patch b/libxslt-Fix-default-template-processing-on-namespace-nodes.patch
new file mode 100644
index 0000000..b26af70
--- /dev/null
+++ b/libxslt-Fix-default-template-processing-on-namespace-nodes.patch
@@ -0,0 +1,42 @@
+From d5e41961b53e7f4e799406ed00d420af640a9f63 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard at redhat.com>
+Date: Wed, 8 Aug 2012 15:31:05 +0800
+Subject: [PATCH] Fix default template processing on namespace nodes
+To: libvir-list at redhat.com
+
+For https://bugzilla.redhat.com/show_bug.cgi?id=852935
+CVE-2012-2871
+
+Signed-off-by: Daniel Veillard <veillard at redhat.com>
+---
+ libxslt/transform.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index a4ca41d..04d0468 100644
+--- a/libxslt/transform.c
++++ b/libxslt/transform.c
+@@ -4832,7 +4832,10 @@ xsltApplyTemplates(xsltTransformContextPtr ctxt, xmlNodePtr node,
+ list = xmlXPathNodeSetCreate(NULL);
+ if (list == NULL)
+ goto error;
+- cur = node->children;
++ if (node->type != XML_NAMESPACE_DECL)
++ cur = node->children;
++ else
++ cur = NULL;
+ while (cur != NULL) {
+ switch (cur->type) {
+ case XML_TEXT_NODE:
+@@ -4881,6 +4884,8 @@ xsltApplyTemplates(xsltTransformContextPtr ctxt, xmlNodePtr node,
+ if (cur->prev != NULL)
+ cur->prev->next = cur->next;
+ break;
++ case XML_NAMESPACE_DECL:
++ break;
+ default:
+ #ifdef WITH_XSLT_DEBUG_PROCESS
+ XSLT_TRACE(ctxt,XSLT_TRACE_APPLY_TEMPLATES,xsltGenericDebug(xsltGenericDebugContext,
+--
+1.7.11.4
+
diff --git a/libxslt-Fix-direct-pattern-matching-bug.patch b/libxslt-Fix-direct-pattern-matching-bug.patch
new file mode 100644
index 0000000..bebe429
--- /dev/null
+++ b/libxslt-Fix-direct-pattern-matching-bug.patch
@@ -0,0 +1,96 @@
+From 1a97e3ebe98516b63b083236fe109752f5dfba8f Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer at aevum.de>
+Date: Mon, 8 Nov 2010 10:42:33 +0100
+Subject: [PATCH] Fix direct pattern matching bug
+To: libvir-list at redhat.com
+
+and adds a test case for the problem,
+
+Signed-off-by: Daniel Veillard <veillard at redhat.com>
+---
+ libxslt/pattern.c | 6 +++++-
+ tests/docs/bug-170.xml | 3 +++
+ tests/general/Makefile.am | 1 +
+ tests/general/bug-170.out | 4 ++++
+ tests/general/bug-170.xsl | 6 ++++++
+ 6 files changed, 20 insertions(+), 1 deletion(-)
+ create mode 100644 tests/docs/bug-170.xml
+ create mode 100644 tests/general/bug-170.out
+ create mode 100644 tests/general/bug-170.xsl
+
+diff --git a/libxslt/pattern.c b/libxslt/pattern.c
+index 8ce74e3..58bd6ed 100644
+--- a/libxslt/pattern.c
++++ b/libxslt/pattern.c
+@@ -546,13 +546,15 @@ xsltTestCompMatchDirect(xsltTransformContextPtr ctxt, xsltCompMatchPtr comp,
+ xmlNodePtr parent = node->parent;
+ xmlDocPtr olddoc;
+ xmlNodePtr oldnode;
+- int oldNsNr;
++ int oldNsNr, oldContextSize, oldProximityPosition;
+ xmlNsPtr *oldNamespaces;
+
+ oldnode = ctxt->xpathCtxt->node;
+ olddoc = ctxt->xpathCtxt->doc;
+ oldNsNr = ctxt->xpathCtxt->nsNr;
+ oldNamespaces = ctxt->xpathCtxt->namespaces;
++ oldContextSize = ctxt->xpathCtxt->contextSize;
++ oldProximityPosition = ctxt->xpathCtxt->proximityPosition;
+ ctxt->xpathCtxt->node = node;
+ ctxt->xpathCtxt->doc = doc;
+ ctxt->xpathCtxt->namespaces = nsList;
+@@ -562,6 +564,8 @@ xsltTestCompMatchDirect(xsltTransformContextPtr ctxt, xsltCompMatchPtr comp,
+ ctxt->xpathCtxt->doc = olddoc;
+ ctxt->xpathCtxt->namespaces = oldNamespaces;
+ ctxt->xpathCtxt->nsNr = oldNsNr;
++ ctxt->xpathCtxt->contextSize = oldContextSize;
++ ctxt->xpathCtxt->proximityPosition = oldProximityPosition;
+ if (newlist == NULL)
+ return(-1);
+ if (newlist->type != XPATH_NODESET) {
+diff --git a/tests/docs/bug-170.xml b/tests/docs/bug-170.xml
+new file mode 100644
+index 0000000..08c3c4d
+--- /dev/null
++++ b/tests/docs/bug-170.xml
+@@ -0,0 +1,3 @@
++<root>
++ <a type="b"/>
++</root>
+diff --git a/tests/general/Makefile.am b/tests/general/Makefile.am
+index 5d5baf0..e33a6c6 100644
+--- a/tests/general/Makefile.am
++++ b/tests/general/Makefile.am
+@@ -177,6 +177,7 @@ EXTRA_DIST = \
+ bug-167.out bug-167.xsl \
+ bug-168.out bug-168.xsl \
+ bug-169.out bug-169.xsl bug-169.imp \
++ bug-170.out bug-170.xsl \
+ character.out character.xsl \
+ character2.out character2.xsl \
+ itemschoose.out itemschoose.xsl \
+diff --git a/tests/general/bug-170.out b/tests/general/bug-170.out
+new file mode 100644
+index 0000000..e24f8d3
+--- /dev/null
++++ b/tests/general/bug-170.out
+@@ -0,0 +1,4 @@
++<?xml version="1.0"?>
++
++
++
+diff --git a/tests/general/bug-170.xsl b/tests/general/bug-170.xsl
+new file mode 100644
+index 0000000..393bc4b
+--- /dev/null
++++ b/tests/general/bug-170.xsl
+@@ -0,0 +1,6 @@
++<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
++ <xsl:template match="a[@type='b']" >
++ <xsl:if test="position()"/>
++ </xsl:template>
++ <xsl:template match="a[@type='XX'][.]"/>
++</xsl:stylesheet>
+--
+1.7.11.4
+
diff --git a/libxslt-Fix-generate-id-to-not-expose-object-addresses.patch b/libxslt-Fix-generate-id-to-not-expose-object-addresses.patch
new file mode 100644
index 0000000..496812e
--- /dev/null
+++ b/libxslt-Fix-generate-id-to-not-expose-object-addresses.patch
@@ -0,0 +1,66 @@
+From 7f1e3c31018a8914af99fa3a9ff05a811ea29f52 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard at redhat.com>
+Date: Tue, 22 Feb 2011 10:14:23 +0800
+Subject: [PATCH] Fix generate-id() to not expose object addresses
+To: libvir-list at redhat.com
+
+For https://bugzilla.redhat.com/show_bug.cgi?id=684386
+CVE-2011-1202
+
+As pointed out by Chris Evans <scarybeasts at gmail.com> it's better
+security wise to not expose object addresses directly, use a diff
+w.r.t. the document root own address to avoid this
+* libxslt/functions.c: fix IDs generation code
+
+Signed-off-by: Daniel Veillard <veillard at redhat.com>
+---
+ libxslt/functions.c | 26 +++++++++++++++++++++-----
+ 1 file changed, 21 insertions(+), 5 deletions(-)
+
+diff --git a/libxslt/functions.c b/libxslt/functions.c
+index 4720c7a..de962f4 100644
+--- a/libxslt/functions.c
++++ b/libxslt/functions.c
+@@ -654,8 +654,9 @@ xsltFormatNumberFunction(xmlXPathParserContextPtr ctxt, int nargs)
+ void
+ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
+ xmlNodePtr cur = NULL;
+- unsigned long val;
+- xmlChar str[20];
++ long val;
++ xmlChar str[30];
++ xmlDocPtr doc;
+
+ if (nargs == 0) {
+ cur = ctxt->context->node;
+@@ -694,9 +695,24 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
+ * Okay this is ugly but should work, use the NodePtr address
+ * to forge the ID
+ */
+- val = (unsigned long)((char *)cur - (char *)0);
+- val /= sizeof(xmlNode);
+- sprintf((char *)str, "id%ld", val);
++ if (cur->type != XML_NAMESPACE_DECL)
++ doc = cur->doc;
++ else {
++ xmlNsPtr ns = (xmlNsPtr) cur;
++
++ if (ns->context != NULL)
++ doc = ns->context;
++ else
++ doc = ctxt->context->doc;
++
++ }
++
++ val = (long)((char *)cur - (char *)doc);
++ if (val >= 0) {
++ sprintf((char *)str, "idp%ld", val);
++ } else {
++ sprintf((char *)str, "idm%ld", -val);
++ }
+ valuePush(ctxt, xmlXPathNewString(str));
+ }
+
+--
+1.7.11.4
+
diff --git a/libxslt-Fix-popping-of-vars-in-xsltCompilerNodePop.patch b/libxslt-Fix-popping-of-vars-in-xsltCompilerNodePop.patch
new file mode 100644
index 0000000..ac5a5a5
--- /dev/null
+++ b/libxslt-Fix-popping-of-vars-in-xsltCompilerNodePop.patch
@@ -0,0 +1,35 @@
+From f3aaf4a35a6cadfc260149c332d5519e418135c6 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer at aevum.de>
+Date: Mon, 8 Nov 2010 10:49:32 +0100
+Subject: [PATCH] Fix popping of vars in xsltCompilerNodePop
+To: libvir-list at redhat.com
+
+Fix an off by one bug in Var pop-up in the compiler
+
+Signed-off-by: Daniel Veillard <veillard at redhat.com>
+---
+ libxslt/xslt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libxslt/xslt.c b/libxslt/xslt.c
+index 55f505b..28c8c59 100644
+--- a/libxslt/xslt.c
++++ b/libxslt/xslt.c
+@@ -2432,13 +2432,13 @@ xsltCompilerNodePop(xsltCompilerCtxtPtr cctxt, xmlNodePtr node)
+ "xsltCompilerNodePop: Depth mismatch.\n");
+ goto mismatch;
+ }
++ cctxt->depth--;
+ /*
+ * Pop information of variables.
+ */
+ if ((cctxt->ivar) && (cctxt->ivar->depth > cctxt->depth))
+ xsltCompilerVarInfoPop(cctxt);
+
+- cctxt->depth--;
+ cctxt->inode = cctxt->inode->prev;
+ if (cctxt->inode != NULL)
+ cctxt->inode->curChildType = 0;
+--
+1.7.11.4
+
diff --git a/libxslt-Fix-portability-to-upcoming-libxml2-2.9.0.patch b/libxslt-Fix-portability-to-upcoming-libxml2-2.9.0.patch
new file mode 100644
index 0000000..1c31cf9
--- /dev/null
+++ b/libxslt-Fix-portability-to-upcoming-libxml2-2.9.0.patch
@@ -0,0 +1,71 @@
+From 91ce3966a525b77c23be53b8a82d0d7a07448ca9 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard at redhat.com>
+Date: Wed, 8 Aug 2012 14:21:51 +0800
+Subject: [PATCH] Fix portability to upcoming libxml2-2.9.0
+To: libvir-list at redhat.com
+
+A few place where an output buffer was accessed directly or as
+an xmlBuf
+
+Signed-off-by: Daniel Veillard <veillard at redhat.com>
+---
+ libxslt/xsltutils.c | 22 ++++++++++++++++++----
+ 1 file changed, 18 insertions(+), 4 deletions(-)
+
+diff --git a/libxslt/xsltutils.c b/libxslt/xsltutils.c
+index 9565e15..749a768 100644
+--- a/libxslt/xsltutils.c
++++ b/libxslt/xsltutils.c
+@@ -1537,9 +1537,11 @@ xsltSaveResultTo(xmlOutputBufferPtr buf, xmlDocPtr result,
+
+ if (omitXmlDecl != 1) {
+ xmlOutputBufferWriteString(buf, "<?xml version=");
+- if (result->version != NULL)
+- xmlBufferWriteQuotedString(buf->buffer, result->version);
+- else
++ if (result->version != NULL) {
++ xmlOutputBufferWriteString(buf, "\"");
++ xmlOutputBufferWriteString(buf, (const char *)result->version);
++ xmlOutputBufferWriteString(buf, "\"");
++ } else
+ xmlOutputBufferWriteString(buf, "\"1.0\"");
+ if (encoding == NULL) {
+ if (result->encoding != NULL)
+@@ -1551,7 +1553,9 @@ xsltSaveResultTo(xmlOutputBufferPtr buf, xmlDocPtr result,
+ }
+ if (encoding != NULL) {
+ xmlOutputBufferWriteString(buf, " encoding=");
+- xmlBufferWriteQuotedString(buf->buffer, (xmlChar *) encoding);
++ xmlOutputBufferWriteString(buf, "\"");
++ xmlOutputBufferWriteString(buf, (const char *) encoding);
++ xmlOutputBufferWriteString(buf, "\"");
+ }
+ switch (standalone) {
+ case 0:
+@@ -1754,6 +1758,15 @@ xsltSaveResultToString(xmlChar **doc_txt_ptr, int * doc_txt_len,
+ if (buf == NULL)
+ return(-1);
+ xsltSaveResultTo(buf, result, style);
++#ifdef LIBXML2_NEW_BUFFER
++ if (buf->conv != NULL) {
++ *doc_txt_len = xmlBufUse(buf->conv);
++ *doc_txt_ptr = xmlStrndup(xmlBufContent(buf->conv), *doc_txt_len);
++ } else {
++ *doc_txt_len = xmlBufUse(buf->buffer);
++ *doc_txt_ptr = xmlStrndup(xmlBufContent(buf->buffer), *doc_txt_len);
++ }
++#else
+ if (buf->conv != NULL) {
+ *doc_txt_len = buf->conv->use;
+ *doc_txt_ptr = xmlStrndup(buf->conv->content, *doc_txt_len);
+@@ -1761,6 +1774,7 @@ xsltSaveResultToString(xmlChar **doc_txt_ptr, int * doc_txt_len,
+ *doc_txt_len = buf->buffer->use;
+ *doc_txt_ptr = xmlStrndup(buf->buffer->content, *doc_txt_len);
+ }
++#endif
+ (void)xmlOutputBufferClose(buf);
+ return 0;
+ }
+--
+1.7.11.4
+
diff --git a/libxslt-Fix-some-case-of-pattern-parsing-errors.patch b/libxslt-Fix-some-case-of-pattern-parsing-errors.patch
new file mode 100644
index 0000000..233b264
--- /dev/null
+++ b/libxslt-Fix-some-case-of-pattern-parsing-errors.patch
@@ -0,0 +1,33 @@
+From 2f71e3212afb9834b7910b4a05cf69071569a60c Mon Sep 17 00:00:00 2001
+From: Abhishek Arya <inferno at chromium.org>
+Date: Sun, 22 Jan 2012 17:47:50 +0800
+Subject: [PATCH] Fix some case of pattern parsing errors
+To: libvir-list at redhat.com
+
+For https://bugzilla.redhat.com/show_bug.cgi?id=788826
+CVE-2011-3970
+
+We could accidentally hit an off by one string array access
+due to improper loop exit when parsing patterns
+
+Signed-off-by: Daniel Veillard <veillard at redhat.com>
+---
+ libxslt/pattern.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libxslt/pattern.c b/libxslt/pattern.c
+index 6161376..1155b54 100644
+--- a/libxslt/pattern.c
++++ b/libxslt/pattern.c
+@@ -1867,6 +1867,8 @@ xsltCompilePatternInternal(const xmlChar *pattern, xmlDocPtr doc,
+ while ((pattern[end] != 0) && (pattern[end] != '"'))
+ end++;
+ }
++ if (pattern[end] == 0)
++ break;
+ end++;
+ }
+ if (current == end) {
+--
+1.7.11.4
+
diff --git a/libxslt-Fix-system-property-with-unknown-namespace.patch b/libxslt-Fix-system-property-with-unknown-namespace.patch
new file mode 100644
index 0000000..c2e045d
--- /dev/null
+++ b/libxslt-Fix-system-property-with-unknown-namespace.patch
@@ -0,0 +1,69 @@
+From c4e58969cb3a53ebb4b45131f7055f646d81381f Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer at aevum.de>
+Date: Wed, 15 Aug 2012 23:06:14 +0200
+Subject: [PATCH] Fix system-property with unknown namespace
+To: libvir-list at redhat.com
+
+The empty string should be returned, see bug #631803.
+
+Signed-off-by: Daniel Veillard <veillard at redhat.com>
+---
+ libxslt/functions.c | 4 +++-
+ tests/docs/bug-176.xml | 1 +
+ tests/general/bug-176.out | 2 ++
+ tests/general/bug-176.xsl | 11 +++++++++++
+ 4 files changed, 17 insertions(+), 1 deletion(-)
+ create mode 100644 tests/docs/bug-176.xml
+ create mode 100644 tests/general/bug-176.out
+ create mode 100644 tests/general/bug-176.xsl
+
+diff --git a/libxslt/functions.c b/libxslt/functions.c
+index de962f4..01852b8 100644
+--- a/libxslt/functions.c
++++ b/libxslt/functions.c
+@@ -799,7 +799,9 @@ xsltSystemPropertyFunction(xmlXPathParserContextPtr ctxt, int nargs){
+ } else {
+ valuePush(ctxt, xmlXPathNewString((const xmlChar *)""));
+ }
+- }
++ } else {
++ valuePush(ctxt, xmlXPathNewString((const xmlChar *)""));
++ }
+ if (name != NULL)
+ xmlFree(name);
+ if (prefix != NULL)
+diff --git a/tests/docs/bug-176.xml b/tests/docs/bug-176.xml
+new file mode 100644
+index 0000000..69d62f2
+--- /dev/null
++++ b/tests/docs/bug-176.xml
+@@ -0,0 +1 @@
++<doc/>
+diff --git a/tests/general/bug-176.out b/tests/general/bug-176.out
+new file mode 100644
+index 0000000..e829790
+--- /dev/null
++++ b/tests/general/bug-176.out
+@@ -0,0 +1,2 @@
++<?xml version="1.0"?>
++<result/>
+diff --git a/tests/general/bug-176.xsl b/tests/general/bug-176.xsl
+new file mode 100644
+index 0000000..6996e1e
+--- /dev/null
++++ b/tests/general/bug-176.xsl
+@@ -0,0 +1,11 @@
++<?xml version="1.0" encoding="UTF-8"?>
++<xsl:transform xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
++ xmlns:msxsl="urn:schemas-microsoft-com:xslt"
++ exclude-result-prefixes="msxsl"
++ version="1.0">
++ <xsl:template match="/">
++ <result>
++ <xsl:value-of select="system-property('msxsl:version')"/>
++ </result>
++ </xsl:template>
++</xsl:transform>
+--
+1.7.11.4
+
diff --git a/libxslt-Hardening-of-code-checking-node-types-in-EXSLT.patch b/libxslt-Hardening-of-code-checking-node-types-in-EXSLT.patch
new file mode 100644
index 0000000..7413614
--- /dev/null
+++ b/libxslt-Hardening-of-code-checking-node-types-in-EXSLT.patch
@@ -0,0 +1,42 @@
+From bf0c46743621b01896c1bdf6f51ed1a0f01aa2b6 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard at redhat.com>
+Date: Thu, 16 Aug 2012 15:51:35 +0800
+Subject: [PATCH] Hardening of code checking node types in EXSLT
+To: libvir-list at redhat.com
+
+Followup on CVE-2012-2870
+
+Signed-off-by: Daniel Veillard <veillard at redhat.com>
+---
+ libexslt/functions.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/libexslt/functions.c b/libexslt/functions.c
+index 13fd06e..4c68cea 100644
+--- a/libexslt/functions.c
++++ b/libexslt/functions.c
+@@ -459,10 +459,9 @@ exsltFuncFunctionComp (xsltStylesheetPtr style, xmlNodePtr inst) {
+ xmlHashTablePtr data;
+ exsltFuncFunctionData *func;
+
+- if ((style == NULL) || (inst == NULL))
++ if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ return;
+
+-
+ {
+ xmlChar *qname;
+
+@@ -546,6 +545,9 @@ exsltFuncResultComp (xsltStylesheetPtr style, xmlNodePtr inst,
+ xmlChar *sel;
+ exsltFuncResultPreComp *ret;
+
++ if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
++ return (NULL);
++
+ /*
+ * "Validity" checking
+ */
+--
+1.7.11.4
+
diff --git a/libxslt-Hardening-of-code-checking-node-types-in-various-entry-point.patch b/libxslt-Hardening-of-code-checking-node-types-in-various-entry-point.patch
new file mode 100644
index 0000000..cdf841b
--- /dev/null
+++ b/libxslt-Hardening-of-code-checking-node-types-in-various-entry-point.patch
@@ -0,0 +1,594 @@
+From 690089bbc9fe0229b6ec64c7a913b02f2b6dec4d Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard at redhat.com>
+Date: Thu, 9 Aug 2012 16:18:51 +0800
+Subject: [PATCH] Hardening of code checking node types in various entry point
+To: libvir-list at redhat.com
+
+Followup on CVE-2012-2870
+
+Signed-off-by: Daniel Veillard <veillard at redhat.com>
+---
+ libxslt/attributes.c | 5 +++--
+ libxslt/preproc.c | 45 +++++++++++++++++++++++----------------------
+ libxslt/templates.c | 15 ++++++++++-----
+ libxslt/transform.c | 2 +-
+ libxslt/variables.c | 10 +++++-----
+ libxslt/xslt.c | 43 +++++++++++++++++++++++++------------------
+ libxslt/xsltutils.c | 27 +++++++++++++++++++--------
+ 7 files changed, 86 insertions(+), 61 deletions(-)
+
+diff --git a/libxslt/attributes.c b/libxslt/attributes.c
+index ce47df7..11d558b 100644
+--- a/libxslt/attributes.c
++++ b/libxslt/attributes.c
+@@ -293,7 +293,7 @@ xsltParseStylesheetAttributeSet(xsltStylesheetPtr style, xmlNodePtr cur) {
+ xmlNodePtr child;
+ xsltAttrElemPtr attrItems;
+
+- if ((cur == NULL) || (style == NULL))
++ if ((cur == NULL) || (style == NULL) || (cur->type != XML_ELEMENT_NODE))
+ return;
+
+ value = xmlGetNsProp(cur, (const xmlChar *)"name", NULL);
+@@ -656,7 +656,8 @@ xsltAttributeInternal(xsltTransformContextPtr ctxt,
+ xmlNsPtr ns = NULL;
+ xmlAttrPtr attr;
+
+- if ((ctxt == NULL) || (contextNode == NULL) || (inst == NULL))
++ if ((ctxt == NULL) || (contextNode == NULL) || (inst == NULL) ||
++ (inst->type != XML_ELEMENT_NODE) )
+ return;
+
+ /*
+diff --git a/libxslt/preproc.c b/libxslt/preproc.c
+index b47d809..0d79976 100644
+--- a/libxslt/preproc.c
++++ b/libxslt/preproc.c
+@@ -669,7 +669,7 @@ xsltSortComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+ #else
+ xsltStylePreCompPtr comp;
+ #endif
+- if ((style == NULL) || (inst == NULL))
++ if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ return;
+
+ #ifdef XSLT_REFACTORED
+@@ -777,7 +777,7 @@ xsltCopyComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+ xsltStylePreCompPtr comp;
+ #endif
+
+- if ((style == NULL) || (inst == NULL))
++ if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ return;
+ #ifdef XSLT_REFACTORED
+ comp = (xsltStyleItemCopyPtr) xsltNewStylePreComp(style, XSLT_FUNC_COPY);
+@@ -821,7 +821,7 @@ xsltTextComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+ #endif
+ const xmlChar *prop;
+
+- if ((style == NULL) || (inst == NULL))
++ if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ return;
+
+ #ifdef XSLT_REFACTORED
+@@ -874,7 +874,7 @@ xsltElementComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+ * <!-- Content: template -->
+ * </xsl:element>
+ */
+- if ((style == NULL) || (inst == NULL))
++ if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ return;
+
+ #ifdef XSLT_REFACTORED
+@@ -991,7 +991,7 @@ xsltAttributeComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+ * <!-- Content: template -->
+ * </xsl:attribute>
+ */
+- if ((style == NULL) || (inst == NULL))
++ if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ return;
+
+ #ifdef XSLT_REFACTORED
+@@ -1111,7 +1111,7 @@ xsltCommentComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+ xsltStylePreCompPtr comp;
+ #endif
+
+- if ((style == NULL) || (inst == NULL))
++ if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ return;
+
+ #ifdef XSLT_REFACTORED
+@@ -1141,7 +1141,7 @@ xsltProcessingInstructionComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+ xsltStylePreCompPtr comp;
+ #endif
+
+- if ((style == NULL) || (inst == NULL))
++ if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ return;
+
+ #ifdef XSLT_REFACTORED
+@@ -1175,7 +1175,7 @@ xsltCopyOfComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+ xsltStylePreCompPtr comp;
+ #endif
+
+- if ((style == NULL) || (inst == NULL))
++ if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ return;
+
+ #ifdef XSLT_REFACTORED
+@@ -1222,7 +1222,7 @@ xsltValueOfComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+ #endif
+ const xmlChar *prop;
+
+- if ((style == NULL) || (inst == NULL))
++ if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ return;
+
+ #ifdef XSLT_REFACTORED
+@@ -1347,7 +1347,7 @@ xsltWithParamComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+ xsltStylePreCompPtr comp;
+ #endif
+
+- if ((style == NULL) || (inst == NULL))
++ if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ return;
+
+ #ifdef XSLT_REFACTORED
+@@ -1406,7 +1406,7 @@ xsltNumberComp(xsltStylesheetPtr style, xmlNodePtr cur) {
+ #endif
+ const xmlChar *prop;
+
+- if ((style == NULL) || (cur == NULL))
++ if ((style == NULL) || (cur == NULL) || (cur->type != XML_ELEMENT_NODE))
+ return;
+
+ #ifdef XSLT_REFACTORED
+@@ -1520,7 +1520,7 @@ xsltApplyImportsComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+ xsltStylePreCompPtr comp;
+ #endif
+
+- if ((style == NULL) || (inst == NULL))
++ if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ return;
+
+ #ifdef XSLT_REFACTORED
+@@ -1550,7 +1550,7 @@ xsltCallTemplateComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+ xsltStylePreCompPtr comp;
+ #endif
+
+- if ((style == NULL) || (inst == NULL))
++ if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ return;
+
+ #ifdef XSLT_REFACTORED
+@@ -1589,7 +1589,7 @@ xsltApplyTemplatesComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+ xsltStylePreCompPtr comp;
+ #endif
+
+- if ((style == NULL) || (inst == NULL))
++ if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ return;
+
+ #ifdef XSLT_REFACTORED
+@@ -1641,7 +1641,7 @@ xsltChooseComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+ xsltStylePreCompPtr comp;
+ #endif
+
+- if ((style == NULL) || (inst == NULL))
++ if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ return;
+
+ #ifdef XSLT_REFACTORED
+@@ -1672,7 +1672,7 @@ xsltIfComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+ xsltStylePreCompPtr comp;
+ #endif
+
+- if ((style == NULL) || (inst == NULL))
++ if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ return;
+
+ #ifdef XSLT_REFACTORED
+@@ -1718,7 +1718,7 @@ xsltWhenComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+ xsltStylePreCompPtr comp;
+ #endif
+
+- if ((style == NULL) || (inst == NULL))
++ if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ return;
+
+ #ifdef XSLT_REFACTORED
+@@ -1764,7 +1764,7 @@ xsltForEachComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+ xsltStylePreCompPtr comp;
+ #endif
+
+- if ((style == NULL) || (inst == NULL))
++ if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ return;
+
+ #ifdef XSLT_REFACTORED
+@@ -1812,7 +1812,7 @@ xsltVariableComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+ xsltStylePreCompPtr comp;
+ #endif
+
+- if ((style == NULL) || (inst == NULL))
++ if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ return;
+
+ #ifdef XSLT_REFACTORED
+@@ -1875,7 +1875,7 @@ xsltParamComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+ xsltStylePreCompPtr comp;
+ #endif
+
+- if ((style == NULL) || (inst == NULL))
++ if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ return;
+
+ #ifdef XSLT_REFACTORED
+@@ -1967,7 +1967,7 @@ xsltStylePreCompute(xsltStylesheetPtr style, xmlNodePtr node) {
+ * the parsing mechanism for all elements in the XSLT namespace.
+ */
+ if (style == NULL) {
+- if (node != NULL)
++ if ((node != NULL) && (node->type == XML_ELEMENT_NODE))
+ node->psvi = NULL;
+ return;
+ }
+@@ -2182,7 +2182,8 @@ xsltStylePreCompute(xsltStylesheetPtr style, xmlNodePtr inst) {
+ * namespace- and local-name of the node, but can evaluate this
+ * using cctxt->style->inode->category;
+ */
+- if (inst->psvi != NULL)
++ if ((inst == NULL) || (inst->type != XML_ELEMENT_NODE) ||
++ (inst->psvi != NULL))
+ return;
+
+ if (IS_XSLT_ELEM(inst)) {
+diff --git a/libxslt/templates.c b/libxslt/templates.c
+index c6250dc..81de93c 100644
+--- a/libxslt/templates.c
++++ b/libxslt/templates.c
+@@ -198,7 +198,8 @@ xsltEvalTemplateString(xsltTransformContextPtr ctxt,
+ xmlNodePtr oldInsert, insert = NULL;
+ xmlChar *ret;
+
+- if ((ctxt == NULL) || (contextNode == NULL) || (inst == NULL))
++ if ((ctxt == NULL) || (contextNode == NULL) || (inst == NULL) ||
++ (inst->type != XML_ELEMENT_NODE))
+ return(NULL);
+
+ if (inst->children == NULL)
+@@ -380,7 +381,8 @@ xsltEvalAttrValueTemplate(xsltTransformContextPtr ctxt, xmlNodePtr inst,
+ xmlChar *ret;
+ xmlChar *expr;
+
+- if ((ctxt == NULL) || (inst == NULL) || (name == NULL))
++ if ((ctxt == NULL) || (inst == NULL) || (name == NULL) ||
++ (inst->type != XML_ELEMENT_NODE))
+ return(NULL);
+
+ expr = xsltGetNsProp(inst, name, ns);
+@@ -424,7 +426,8 @@ xsltEvalStaticAttrValueTemplate(xsltStylesheetPtr style, xmlNodePtr inst,
+ const xmlChar *ret;
+ xmlChar *expr;
+
+- if ((style == NULL) || (inst == NULL) || (name == NULL))
++ if ((style == NULL) || (inst == NULL) || (name == NULL) ||
++ (inst->type != XML_ELEMENT_NODE))
+ return(NULL);
+
+ expr = xsltGetNsProp(inst, name, ns);
+@@ -465,7 +468,8 @@ xsltAttrTemplateProcess(xsltTransformContextPtr ctxt, xmlNodePtr target,
+ const xmlChar *value;
+ xmlAttrPtr ret;
+
+- if ((ctxt == NULL) || (attr == NULL) || (target == NULL))
++ if ((ctxt == NULL) || (attr == NULL) || (target == NULL) ||
++ (target->type != XML_ELEMENT_NODE))
+ return(NULL);
+
+ if (attr->type != XML_ATTRIBUTE_NODE)
+@@ -622,7 +626,8 @@ xsltAttrListTemplateProcess(xsltTransformContextPtr ctxt,
+ const xmlChar *value;
+ xmlChar *valueAVT;
+
+- if ((ctxt == NULL) || (target == NULL) || (attrs == NULL))
++ if ((ctxt == NULL) || (target == NULL) || (attrs == NULL) ||
++ (target->type != XML_ELEMENT_NODE))
+ return(NULL);
+
+ oldInsert = ctxt->insert;
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index 04d0468..38fbad6 100644
+--- a/libxslt/transform.c
++++ b/libxslt/transform.c
+@@ -726,7 +726,7 @@ xsltCopyTextString(xsltTransformContextPtr ctxt, xmlNodePtr target,
+ #endif
+
+ /*
+- * Play save and reset the merging mechanism for every new
++ * Play safe and reset the merging mechanism for every new
+ * target node.
+ */
+ if ((target == NULL) || (target->children == NULL)) {
+diff --git a/libxslt/variables.c b/libxslt/variables.c
+index 43a6156..df207c7 100644
+--- a/libxslt/variables.c
++++ b/libxslt/variables.c
+@@ -1926,7 +1926,7 @@ xsltParseStylesheetCallerParam(xsltTransformContextPtr ctxt, xmlNodePtr inst)
+ the instruction itself. */
+ xsltStackElemPtr param = NULL;
+
+- if ((ctxt == NULL) || (inst == NULL))
++ if ((ctxt == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ return(NULL);
+
+ #ifdef XSLT_REFACTORED
+@@ -1985,7 +1985,7 @@ xsltParseGlobalVariable(xsltStylesheetPtr style, xmlNodePtr cur)
+ xsltStylePreCompPtr comp;
+ #endif
+
+- if ((cur == NULL) || (style == NULL))
++ if ((cur == NULL) || (style == NULL) || (cur->type != XML_ELEMENT_NODE))
+ return;
+
+ #ifdef XSLT_REFACTORED
+@@ -2047,7 +2047,7 @@ xsltParseGlobalParam(xsltStylesheetPtr style, xmlNodePtr cur) {
+ xsltStylePreCompPtr comp;
+ #endif
+
+- if ((cur == NULL) || (style == NULL))
++ if ((cur == NULL) || (style == NULL) || (cur->type != XML_ELEMENT_NODE))
+ return;
+
+ #ifdef XSLT_REFACTORED
+@@ -2110,7 +2110,7 @@ xsltParseStylesheetVariable(xsltTransformContextPtr ctxt, xmlNodePtr inst)
+ xsltStylePreCompPtr comp;
+ #endif
+
+- if ((inst == NULL) || (ctxt == NULL))
++ if ((inst == NULL) || (ctxt == NULL) || (inst->type != XML_ELEMENT_NODE))
+ return;
+
+ comp = inst->psvi;
+@@ -2152,7 +2152,7 @@ xsltParseStylesheetParam(xsltTransformContextPtr ctxt, xmlNodePtr cur)
+ xsltStylePreCompPtr comp;
+ #endif
+
+- if ((cur == NULL) || (ctxt == NULL))
++ if ((cur == NULL) || (ctxt == NULL) || (cur->type != XML_ELEMENT_NODE))
+ return;
+
+ comp = cur->psvi;
+diff --git a/libxslt/xslt.c b/libxslt/xslt.c
+index 28c8c59..07a72c5 100644
+--- a/libxslt/xslt.c
++++ b/libxslt/xslt.c
+@@ -1153,9 +1153,9 @@ xsltParseStylesheetOutput(xsltStylesheetPtr style, xmlNodePtr cur)
+ xmlChar *element,
+ *end;
+
+- if ((cur == NULL) || (style == NULL))
++ if ((cur == NULL) || (style == NULL) || (cur->type != XML_ELEMENT_NODE))
+ return;
+-
++
+ prop = xmlGetNsProp(cur, (const xmlChar *) "version", NULL);
+ if (prop != NULL) {
+ if (style->version != NULL)
+@@ -1368,12 +1368,12 @@ xsltParseStylesheetDecimalFormat(xsltStylesheetPtr style, xmlNodePtr cur)
+ xmlChar *prop;
+ xsltDecimalFormatPtr format;
+ xsltDecimalFormatPtr iter;
+-
+- if ((cur == NULL) || (style == NULL))
++
++ if ((cur == NULL) || (style == NULL) || (cur->type != XML_ELEMENT_NODE))
+ return;
+
+ format = style->decimalFormat;
+-
++
+ prop = xmlGetNsProp(cur, BAD_CAST("name"), NULL);
+ if (prop != NULL) {
+ format = xsltDecimalFormatGetByName(style, prop);
+@@ -1475,7 +1475,7 @@ xsltParseStylesheetPreserveSpace(xsltStylesheetPtr style, xmlNodePtr cur) {
+ xmlChar *elements;
+ xmlChar *element, *end;
+
+- if ((cur == NULL) || (style == NULL))
++ if ((cur == NULL) || (style == NULL) || (cur->type != XML_ELEMENT_NODE))
+ return;
+
+ elements = xmlGetNsProp(cur, (const xmlChar *)"elements", NULL);
+@@ -1549,7 +1549,7 @@ xsltParseStylesheetExtPrefix(xsltStylesheetPtr style, xmlNodePtr cur,
+ xmlChar *prefixes;
+ xmlChar *prefix, *end;
+
+- if ((cur == NULL) || (style == NULL))
++ if ((cur == NULL) || (style == NULL) || (cur->type != XML_ELEMENT_NODE))
+ return;
+
+ if (isXsltElem) {
+@@ -1614,7 +1614,7 @@ xsltParseStylesheetStripSpace(xsltStylesheetPtr style, xmlNodePtr cur) {
+ xmlChar *elements;
+ xmlChar *element, *end;
+
+- if ((cur == NULL) || (style == NULL))
++ if ((cur == NULL) || (style == NULL) || (cur->type != XML_ELEMENT_NODE))
+ return;
+
+ elements = xmlGetNsProp(cur, (const xmlChar *)"elements", NULL);
+@@ -1687,7 +1687,7 @@ xsltParseStylesheetExcludePrefix(xsltStylesheetPtr style, xmlNodePtr cur,
+ xmlChar *prefixes;
+ xmlChar *prefix, *end;
+
+- if ((cur == NULL) || (style == NULL))
++ if ((cur == NULL) || (style == NULL) || (cur->type != XML_ELEMENT_NODE))
+ return(0);
+
+ if (isXsltElem)
+@@ -4278,7 +4278,7 @@ static int
+ xsltParseUnknownXSLTElem(xsltCompilerCtxtPtr cctxt,
+ xmlNodePtr node)
+ {
+- if ((cctxt == NULL) || (node == NULL))
++ if ((cctxt == NULL) || (node == NULL) || (node->type != XML_ELEMENT_NODE))
+ return(-1);
+
+ /*
+@@ -4375,7 +4375,7 @@ xsltParseSequenceConstructor(xsltCompilerCtxtPtr cctxt, xmlNodePtr cur)
+ if (cctxt->inode->category == XSLT_ELEMENT_CATEGORY_EXTENSION) {
+ cctxt->inode->extContentHandled = 1;
+ }
+- if (cur == NULL)
++ if ((cur == NULL) || (cur->type == XML_NAMESPACE_DECL))
+ return;
+ /*
+ * This is the content reffered to as a "template".
+@@ -4780,7 +4780,8 @@ xsltParseSequenceConstructor(xsltCompilerCtxtPtr cctxt, xmlNodePtr cur)
+ */
+ void
+ xsltParseTemplateContent(xsltStylesheetPtr style, xmlNodePtr templ) {
+- if ((style == NULL) || (templ == NULL))
++ if ((style == NULL) || (templ == NULL) ||
++ (templ->type == XML_NAMESPACE_DECL))
+ return;
+
+ /*
+@@ -4829,6 +4830,10 @@ xsltParseTemplateContent(xsltStylesheetPtr style, xmlNodePtr templ) {
+ void
+ xsltParseTemplateContent(xsltStylesheetPtr style, xmlNodePtr templ) {
+ xmlNodePtr cur, delete;
++
++ if ((style == NULL) || (templ == NULL) ||
++ (templ->type == XML_NAMESPACE_DECL)) return;
++
+ /*
+ * This content comes from the stylesheet
+ * For stylesheets, the set of whitespace-preserving
+@@ -5048,7 +5053,7 @@ xsltParseStylesheetKey(xsltStylesheetPtr style, xmlNodePtr key) {
+ xmlChar *name = NULL;
+ xmlChar *nameURI = NULL;
+
+- if ((style == NULL) || (key == NULL))
++ if ((style == NULL) || (key == NULL) || (key->type != XML_ELEMENT_NODE))
+ return;
+
+ /*
+@@ -5138,7 +5143,8 @@ xsltParseXSLTTemplate(xsltCompilerCtxtPtr cctxt, xmlNodePtr templNode) {
+ xmlChar *prop;
+ double priority;
+
+- if ((cctxt == NULL) || (templNode == NULL))
++ if ((cctxt == NULL) || (templNode == NULL) ||
++ (templNode->type != XML_ELEMENT_NODE))
+ return;
+
+ /*
+@@ -5299,7 +5305,8 @@ xsltParseStylesheetTemplate(xsltStylesheetPtr style, xmlNodePtr template) {
+ xmlChar *modeURI = NULL;
+ double priority;
+
+- if (template == NULL)
++ if ((style == NULL) || (template == NULL) ||
++ (template->type != XML_ELEMENT_NODE))
+ return;
+
+ /*
+@@ -5431,7 +5438,7 @@ static xsltStyleItemIncludePtr
+ xsltCompileXSLTIncludeElem(xsltCompilerCtxtPtr cctxt, xmlNodePtr node) {
+ xsltStyleItemIncludePtr item;
+
+- if ((cctxt == NULL) || (node == NULL))
++ if ((cctxt == NULL) || (node == NULL) || (node->type != XML_ELEMENT_NODE))
+ return(NULL);
+
+ node->psvi = NULL;
+@@ -5951,7 +5958,7 @@ xsltParseXSLTStylesheetElem(xsltCompilerCtxtPtr cctxt, xmlNodePtr node)
+ {
+ xmlNodePtr cur, start;
+
+- if ((cctxt == NULL) || (node == NULL))
++ if ((cctxt == NULL) || (node == NULL) || (node->type != XML_ELEMENT_NODE))
+ return(-1);
+
+ if (node->children == NULL)
+@@ -6039,7 +6046,7 @@ xsltParseStylesheetTop(xsltStylesheetPtr style, xmlNodePtr top) {
+ int templates = 0;
+ #endif
+
+- if (top == NULL)
++ if ((top == NULL) || (top->type != XML_ELEMENT_NODE))
+ return;
+
+ prop = xmlGetNsProp(top, (const xmlChar *)"version", NULL);
+diff --git a/libxslt/xsltutils.c b/libxslt/xsltutils.c
+index 749a768..487f195 100644
+--- a/libxslt/xsltutils.c
++++ b/libxslt/xsltutils.c
+@@ -90,10 +90,15 @@ xsltGetCNsProp(xsltStylesheetPtr style, xmlNodePtr node,
+ if ((node == NULL) || (style == NULL) || (style->dict == NULL))
+ return(NULL);
+
+- prop = node->properties;
+- if (nameSpace == NULL) {
++ if (nameSpace == NULL)
+ return xmlGetProp(node, name);
+- }
++
++ if (node->type == XML_NAMESPACE_DECL)
++ return(NULL);
++ if (node->type == XML_ELEMENT_NODE)
++ prop = node->properties;
++ else
++ prop = NULL;
+ while (prop != NULL) {
+ /*
+ * One need to have
+@@ -130,7 +135,7 @@ xsltGetCNsProp(xsltStylesheetPtr style, xmlNodePtr node,
+ attrDecl = xmlGetDtdAttrDesc(doc->intSubset, node->name, name);
+ if ((attrDecl == NULL) && (doc->extSubset != NULL))
+ attrDecl = xmlGetDtdAttrDesc(doc->extSubset, node->name, name);
+-
++
+ if ((attrDecl != NULL) && (attrDecl->prefix != NULL)) {
+ /*
+ * The DTD declaration only allows a prefix search
+@@ -172,7 +177,15 @@ xsltGetNsProp(xmlNodePtr node, const xmlChar *name, const xmlChar *nameSpace) {
+ if (node == NULL)
+ return(NULL);
+
+- prop = node->properties;
++ if (nameSpace == NULL)
++ return xmlGetProp(node, name);
++
++ if (node->type == XML_NAMESPACE_DECL)
++ return(NULL);
++ if (node->type == XML_ELEMENT_NODE)
++ prop = node->properties;
++ else
++ prop = NULL;
+ /*
+ * TODO: Substitute xmlGetProp() for xmlGetNsProp(), since the former
+ * is not namespace-aware and will return an attribute with equal
+@@ -182,8 +195,6 @@ xsltGetNsProp(xmlNodePtr node, const xmlChar *name, const xmlChar *nameSpace) {
+ * So this would return "myName" even if an attribute @name
+ * in the XSLT was requested.
+ */
+- if (nameSpace == NULL)
+- return(xmlGetProp(node, name));
+ while (prop != NULL) {
+ /*
+ * One need to have
+@@ -216,7 +227,7 @@ xsltGetNsProp(xmlNodePtr node, const xmlChar *name, const xmlChar *nameSpace) {
+ attrDecl = xmlGetDtdAttrDesc(doc->intSubset, node->name, name);
+ if ((attrDecl == NULL) && (doc->extSubset != NULL))
+ attrDecl = xmlGetDtdAttrDesc(doc->extSubset, node->name, name);
+-
++
+ if ((attrDecl != NULL) && (attrDecl->prefix != NULL)) {
+ /*
+ * The DTD declaration only allows a prefix search
+--
+1.7.11.4
+
diff --git a/libxslt-xsltproc-should-return-an-error-code-if-xinclude-fails.patch b/libxslt-xsltproc-should-return-an-error-code-if-xinclude-fails.patch
new file mode 100644
index 0000000..2acc67f
--- /dev/null
+++ b/libxslt-xsltproc-should-return-an-error-code-if-xinclude-fails.patch
@@ -0,0 +1,51 @@
+From 303a2d49a7eb3327ece37c47d5945abb693eb787 Mon Sep 17 00:00:00 2001
+From: Malcolm Purvis <malcolm at purvis.id.au>
+Date: Thu, 16 Aug 2012 17:08:31 +0800
+Subject: [PATCH] xsltproc should return an error code if xinclude fails
+To: libvir-list at redhat.com
+
+When running xsltproc with the --xinclude option and if the included file
+contains parse errors, then xsltproc exits with a success return code (0)
+rather than an error code. This is despite the fact that parser error
+messages are printed out.
+* xsltproc/xsltproc.c: check xinclude processing function return code,
+ fail with error 6 if it went wrong.
+
+Signed-off-by: Daniel Veillard <veillard at redhat.com>
+---
+ xsltproc/xsltproc.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/xsltproc/xsltproc.c b/xsltproc/xsltproc.c
+index e978a63..a1f01b1 100644
+--- a/xsltproc/xsltproc.c
++++ b/xsltproc/xsltproc.c
+@@ -359,16 +359,23 @@ xsltProcess(xmlDocPtr doc, xsltStylesheetPtr cur, const char *filename) {
+
+ #ifdef LIBXML_XINCLUDE_ENABLED
+ if (xinclude) {
++ int ret;
++
+ if (timing)
+ startTimer();
+ #if LIBXML_VERSION >= 20603
+- xmlXIncludeProcessFlags(doc, XSLT_PARSE_OPTIONS);
++ ret = xmlXIncludeProcessFlags(doc, XSLT_PARSE_OPTIONS);
+ #else
+- xmlXIncludeProcess(doc);
++ ret = xmlXIncludeProcess(doc);
+ #endif
+ if (timing) {
+ endTimer("XInclude processing %s", filename);
+ }
++
++ if (ret < 0) {
++ errorno = 6;
++ return;
++ }
+ }
+ #endif
+ if (timing)
+--
+1.7.11.4
+
diff --git a/libxslt.spec b/libxslt.spec
index 8194e3b..fcb7f84 100644
--- a/libxslt.spec
+++ b/libxslt.spec
@@ -1,7 +1,7 @@
Summary: Library providing the Gnome XSLT engine
Name: libxslt
Version: 1.1.26
-Release: 9%{?dist}
+Release: 10%{?dist}%{?extra_release}
License: MIT
Group: Development/Libraries
Source: ftp://xmlsoft.org/XSLT/libxslt-%{version}.tar.gz
@@ -10,11 +10,28 @@ BuildRequires: libxml2-devel
BuildRequires: python2-devel
BuildRequires: libxml2-python
BuildRequires: libgcrypt-devel
+BuildRequires: automake autoconf
# Fedora specific patch
Patch0: multilib.patch
Patch1: libxslt-1.1.26-utf8-docs.patch
+Patch2: libxslt-Fix-direct-pattern-matching-bug.patch
+Patch3: libxslt-Fix-popping-of-vars-in-xsltCompilerNodePop.patch
+Patch4: libxslt-Fix-bug-602515.patch
+Patch5: libxslt-Fix-generate-id-to-not-expose-object-addresses.patch
+Patch6: libxslt-Fix-some-case-of-pattern-parsing-errors.patch
+Patch7: libxslt-Fix-a-bug-in-selecting-XSLT-elements.patch
+Patch8: libxslt-Fix-portability-to-upcoming-libxml2-2.9.0.patch
+Patch9: libxslt-Fix-default-template-processing-on-namespace-nodes.patch
+Patch10: libxslt-Cleanup-of-the-pattern-compilation-code.patch
+Patch11: libxslt-Hardening-of-code-checking-node-types-in-various-entry-point.patch
+Patch12: libxslt-Hardening-of-code-checking-node-types-in-EXSLT.patch
+Patch13: libxslt-Fix-system-property-with-unknown-namespace.patch
+Patch14: libxslt-xsltproc-should-return-an-error-code-if-xinclude-fails.patch
+Patch15: libxslt-Fix-a-dictionary-string-usage.patch
+Patch16: libxslt-Avoid-a-heap-use-after-free-error.patch
+
%description
This C library allows to transform XML files into other XML files
(or HTML, text, ...) using the standard XSLT stylesheet transformation
@@ -59,6 +76,22 @@ gzip -9 ChangeLog
touch -r ChangeLog.utf8 ChangeLog.gz
touch -r NEWS.utf8 NEWS
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
+%patch14 -p1
+%patch15 -p1
+%patch16 -p1
+
chmod 644 python/tests/*
%build
@@ -118,6 +151,24 @@ make tests
%doc python/tests/*.xsl
%changelog
+* Wed Sep 12 2012 Daniel Veillard <veillard at redhat.com> 1.1.26-10
+- Fixes CVE-2011-1202 CVE-2011-3970 CVE-2012-2825 CVE-2012-2871 CVE-2012-2870
+- Fix direct pattern matching bug
+- Fix popping of vars in xsltCompilerNodePop
+- Fix bug 602515
+- Fix generate-id() to not expose object addresses (CVE-2011-1202)
+- Fix some case of pattern parsing errors (CVE-2011-3970)
+- Fix a bug in selecting XSLT elements (CVE-2012-2825)
+- Fix portability to upcoming libxml2-2.9.0
+- Fix default template processing on namespace nodes (CVE-2012-2871)
+- Cleanup of the pattern compilation code (CVE-2012-2870)
+- Hardening of code checking node types in various entry point (CVE-2012-2870)
+- Hardening of code checking node types in EXSLT (CVE-2012-2870)
+- Fix system-property with unknown namespace
+- xsltproc should return an error code if xinclude fails
+- Fix a dictionary string usage
+- Avoid a heap use after free error
+
* Fri Jan 13 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.1.26-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
More information about the scm-commits
mailing list