debian/0000775000000000000000000000000013454143306007173 5ustar debian/xsltproc.install0000664000000000000000000000002113454135077012440 0ustar usr/bin/xsltproc debian/libxslt1.1.lintian-overrides0000664000000000000000000000005613454135077014463 0ustar libxslt1.1: package-name-doesnt-match-sonames debian/rules0000775000000000000000000000676713454135077010301 0ustar #!/usr/bin/make -f # The versions of python currently supported PYVERS=$(shell pyversions -s) # The current default version of python PYVER=$(shell pyversions -d) export DEB_BUILD_MAINT_OPTIONS=hardening=+all DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) CFLAGS = `dpkg-buildflags --get CFLAGS` -Wall LDFLAGS = `dpkg-buildflags --get LDFLAGS` -Wl,--as-needed CPPFLAGS = `dpkg-buildflags --get CPPFLAGS` CONFIGURE_FLAGS := --with-history CC="$(CC)" CFLAGS="$(CFLAGS)" CPPFLAGS="$(CPPFLAGS)" LDFLAGS="$(LDFLAGS)" --cache-file="$(CURDIR)/builddir/config.cache" TARGETS := main $(PYVERS) $(PYVERS:%=%-dbg) override_dh_auto_configure: $(TARGETS:%=configure-%) configure-%: -test -r /usr/share/misc/config.sub && \ cp -f /usr/share/misc/config.sub config.sub -test -r /usr/share/misc/config.guess && \ cp -f /usr/share/misc/config.guess config.guess dh_auto_configure --builddirectory=builddir/$* -- $(CONFIGURE_FLAGS) configure-main: CONFIGURE_FLAGS += --without-python configure-python%: CONFIGURE_FLAGS += --with-python=/usr/bin/$* override_dh_auto_build: $(TARGETS:%=dobuild-%) dobuild-%: BUILD_DIR=builddir/$* dobuild-%: $(if $(filter $(BUILD_DIR),builddir/$*),,[ -d $(BUILD_DIR) ] || mv builddir/$*/python $(BUILD_DIR)) dh_auto_build --builddirectory=$(BUILD_DIR) -- $(BUILD_FLAGS) dobuild-python%: BUILD_DIR=builddir/main/$* dobuild-python%-dbg: BUILD_FLAGS = PYTHON_INCLUDES=/usr/include/$(*:-dbg=_d) \ LDFLAGS="$(LDFLAGS) -L$(CURDIR)/debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)" CFLAGS="$(CFLAGS) -Wall -O0" override_dh_auto_clean: rm -rf builddir debian/tmp-dbg config.sub config.guess autogen.sh dh_auto_clean override_dh_auto_install: $(TARGETS:%=doinstall-%) find debian/ -name *.la -delete doinstall-main: dh_auto_install --builddirectory=builddir/main # Properly install documentation in /usr/share/doc/libxslt1-dev install -d debian/tmp/usr/share/doc/libxslt1-dev/EXSLT install -m 644 \ doc/*.html \ doc/*.gif \ doc/libxslt-*.xml debian/tmp/usr/share/doc/libxslt1-dev install -m 644 \ doc/EXSLT/*.html \ doc/EXSLT/libexslt-*.xml debian/tmp/usr/share/doc/libxslt1-dev cp -a \ doc/html \ doc/tutorial \ doc/tutorial2 debian/tmp/usr/share/doc/libxslt1-dev cp -a \ doc/EXSLT/html debian/tmp/usr/share/doc/libxslt1-dev/EXSLT sed -i "/dependency_libs/ s/'.*'/''/" debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/*.la doinstall-python%-dbg: $(MAKE) -C builddir/main/python$*-dbg DESTDIR=$(CURDIR)/debian/tmp-dbg install-pythonLTLIBRARIES prename 's/(? /dev/null 2>&1; then \ rm -f $(python)/libxsltmod.so; \ ln -s ../$(PYVER)/libxsltmod.so $(python)/libxsltmod.so; \ fi;) override_dh_compress: dh_compress -a -Xexamples/ override_dh_makeshlibs: dh_makeshlibs -a -V 'libxslt1.1 (>= 1.1.26)' -- -c4 %: dh $@ --with autoreconf,python2 debian/source/0000775000000000000000000000000013454135077010501 5ustar debian/source/format0000664000000000000000000000001413454135077011707 0ustar 3.0 (quilt) debian/watch0000664000000000000000000000007713454135077010236 0ustar version=3 ftp://xmlsoft.org/libxslt/libxslt-([\d\.]+)\.tar\.gz debian/libxslt1.1.symbols0000664000000000000000000000353013454135077012515 0ustar libxslt.so.1 libxslt1.1 #MINVER# (symver|optional)LIBXML2_1.0.11 1.1.25 (symver|optional)LIBXML2_1.0.12 1.1.25 (symver|optional)LIBXML2_1.0.13 1.1.25 (symver|optional)LIBXML2_1.0.16 1.1.25 (symver|optional)LIBXML2_1.0.17 1.1.25 (symver|optional)LIBXML2_1.0.18 1.1.25 (symver|optional)LIBXML2_1.0.22 1.1.25 (symver|optional)LIBXML2_1.0.24 1.1.25 (symver|optional)LIBXML2_1.0.30 1.1.25 (symver|optional)LIBXML2_1.0.32 1.1.25 (symver|optional)LIBXML2_1.0.33 1.1.25 (symver|optional)LIBXML2_1.1.0 1.1.25 (symver|optional)LIBXML2_1.1.1 1.1.25 (symver|optional)LIBXML2_1.1.2 1.1.25 (symver|optional)LIBXML2_1.1.3 1.1.25 (symver|optional)LIBXML2_1.1.5 1.1.25 (symver|optional)LIBXML2_1.1.7 1.1.25 (symver|optional)LIBXML2_1.1.9 1.1.25 (symver|optional)LIBXML2_1.1.18 1.1.25 (symver|optional)LIBXML2_1.1.20 1.1.25 (symver|optional)LIBXML2_1.1.23 1.1.25 (symver|optional)LIBXML2_1.1.24 1.1.25 (symver|optional)LIBXML2_1.1.25 1.1.25 (symver|optional)LIBXML2_1.1.26 1.1.26 (symver|optional)LIBXML2_1.1.27 1.1.27 xsltComputingGlobalVarMarker@Base 1.1.25 xsltCopyTree@Base 1.1.25 xsltDefaultTrace@Base 1.1.25 xsltFreeLocales@LIBXML2_1.1.27 1.1.27 xsltXPathCompileFlags@LIBXML2_1.1.27 1.1.27 xsltMaxVars@LIBXML2_1.0.24 1.1.27 libexslt.so.0 libxslt1.1 #MINVER# exsltCommonRegister@Base 1.1.25 exsltCryptoRegister@Base 1.1.25 exsltDateRegister@Base 1.1.25 exsltDateXpathCtxtRegister@Base 1.1.25 exsltDynRegister@Base 1.1.25 exsltFuncRegister@Base 1.1.25 exsltLibexsltVersion@Base 1.1.25 exsltLibraryVersion@Base 1.1.25 exsltLibxmlVersion@Base 1.1.25 exsltLibxsltVersion@Base 1.1.25 exsltMathRegister@Base 1.1.25 exsltMathXpathCtxtRegister@Base 1.1.25 exsltRegisterAll@Base 1.1.25 exsltSaxonRegister@Base 1.1.25 exsltSetsRegister@Base 1.1.25 exsltSetsXpathCtxtRegister@Base 1.1.25 exsltStrRegister@Base 1.1.25 exsltStrXpathCtxtRegister@Base 1.1.25 debian/control0000664000000000000000000000766613454135077010623 0ustar Source: libxslt Section: text Priority: optional Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Debian XML/SGML Group Uploaders: Aron Xu , YunQiang Su Standards-Version: 3.9.4 Build-Depends: debhelper (>= 9), libxml2-dev (>= 2.6.27), python-all-dev (>= 2.6.6-3~), python-all-dbg, libgcrypt11-dev, dh-autoreconf, binutils (>= 2.14.90.0.7), perl Homepage: http://xmlsoft.org/xslt/ Vcs-Git: git://anonscm.debian.org/debian-xml-sgml/libxslt.git Vcs-Browser: http://anonscm.debian.org/gitweb/?p=debian-xml-sgml/libxslt.git Package: libxslt1.1 Section: libs Architecture: any Multi-Arch: same Pre-Depends: ${misc:Pre-Depends} Depends: ${misc:Depends}, ${shlibs:Depends}, Description: XSLT 1.0 processing library - runtime library XSLT is an XML language for defining transformations of XML files from XML to some other arbitrary format, such as XML, HTML, plain text, etc. using standard XSLT stylesheets. libxslt is a C library which implements XSLT version 1.0. . This package contains the libxslt library used by applications for XSLT transformations. Package: libxslt1-dev Section: libdevel Architecture: any Multi-Arch: same Provides: libxslt-dev Depends: libxslt1.1 (= ${binary:Version}), libxml2-dev (>= 2.6.26), ${misc:Depends} Description: XSLT 1.0 processing library - development kit XSLT is an XML language for defining transformations of XML files from XML to some other arbitrary format, such as XML, HTML, plain text, etc. using standard XSLT stylesheets. libxslt is a C library which implements XSLT version 1.0. . This package contains the development files for libxslt. Package: libxslt1-dbg Section: debug Priority: extra Architecture: any Depends: libxslt1.1 (= ${binary:Version}), ${misc:Depends} Multi-Arch: same Description: XSLT 1.0 processing library - debugging symbols XSLT is an XML language for defining transformations of XML files from XML to some other arbitrary format, such as XML, HTML, plain text, etc. using standard XSLT stylesheets. libxslt is a C library which implements XSLT version 1.0. . This package provides the debugging symbols for the library and for the xsltproc utility provided by the xsltproc package. Debugging symbols for the Python modules are not available. Package: xsltproc Architecture: any Multi-Arch: foreign Depends: ${shlibs:Depends}, ${misc:Depends} Description: XSLT 1.0 command line processor XSLT is an XML language for defining transformations of XML files from XML to some other arbitrary format, such as XML, HTML, plain text, etc. using standard XSLT version 1.0 stylesheets. . This package contains a command line tool that facilitates XSLT transformations. Package: python-libxslt1 Section: python Architecture: any Provides: ${python:Provides} Depends: ${shlibs:Depends}, ${misc:Depends}, ${python:Depends}, python-libxml2 Description: Python bindings for libxslt1 XSLT is an XML language for defining transformations of XML files from XML to some other arbitrary format, such as XML, HTML, plain text, etc. using standard XSLT stylesheets. libxslt is a C library which implements XSLT version 1.0. . This package contains Python bindings for libxslt, needed to use libxslt in Python programs. Package: python-libxslt1-dbg Section: debug Architecture: any Priority: extra Provides: ${python:Provides} Depends: python-dbg, python-libxslt1 (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends}, python-libxml2-dbg Description: Python bindings for libxslt1 (debug extension) XSLT is an XML language for defining transformations of XML files from XML to some other arbitrary format, such as XML, HTML, plain text, etc. using standard XSLT stylesheets. libxslt is a C library which implements XSLT version 1.0. . This package contains Python bindings for libxslt, needed to use libxslt in Python programs for use with the Python debug interpreter. debian/libxslt1-dev.doc-base0000664000000000000000000000075713454135077013127 0ustar Document: libxslt1-dev Title: GNOME XSLT Library Reference Manual Author: Daniel Veillard Abstract: This manual documents the interfaces of the libxslt library and has some short notes to help get you up to speed with using the library. Section: Programming Format: HTML Index: /usr/share/doc/libxslt1-dev/index.html Files: /usr/share/doc/libxslt1-dev/*.html /usr/share/doc/libxslt1-dev/html/*.html /usr/share/doc/libxslt1-dev/EXSLT/html/*.html /usr/share/doc/libxslt1-dev/tutorial*/*.html debian/README.Debian0000664000000000000000000000140213454135077011237 0ustar Notes about libxslt ------------------- While libxslt is trying to fit at best the XSLT and EXSLT standards, it is likely to contain implementation bugs which tend to disappear with newer versions. For this reason, if you are using libxslt libraries or tools for standard conforming development, it's suggested to upgrade libxslt with newer packages from either testing or unstable Debian repositories. If you're using libxslt without requiring heavy standards compliance, you don't need such upgrade. Note that this also applies to libxml2 about XML, XPath, XIncludes, etc. standards. Also note that while libxslt implements XSLT and EXSLT, all XPath or XIncludes related bugs are related to libxml2. -- Mike Hommey , Sat Oct 16 17:13:42 JST 2004 debian/copyright0000664000000000000000000000632213454135077011137 0ustar This package was debianized by Nicolás Lichtmaier on Thu, 22 Feb 2001 23:09:08 -0300. The current package maintainer is Ardo van Rangelooij . This package's upstream homepage is http://xmlsoft.org/XSLT/ Upstream Author: Daniel Veillard Copyright: Licence for libxslt except libexslt ---------------------------------------------------------------------- Copyright (C) 2001-2002 Daniel Veillard. All Rights Reserved. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is fur- nished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FIT- NESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE DANIEL VEILLARD BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CON- NECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Except as contained in this notice, the name of Daniel Veillard shall not be used in advertising or otherwise to promote the sale, use or other deal- ings in this Software without prior written authorization from him. ---------------------------------------------------------------------- Licence for libexslt ---------------------------------------------------------------------- Copyright (C) 2001-2002 Thomas Broyer, Charlie Bozeman and Daniel Veillard. All Rights Reserved. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is fur- nished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FIT- NESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CON- NECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Except as contained in this notice, the name of the authors shall not be used in advertising or otherwise to promote the sale, use or other deal- ings in this Software without prior written authorization from him. ---------------------------------------------------------------------- debian/libxslt1-dev.install0000664000000000000000000000031313454135077013104 0ustar usr/include usr/lib/*/libxslt.a usr/lib/*/libexslt.a usr/lib/*/libxslt.so usr/lib/*/libexslt.so usr/lib/*/pkgconfig usr/lib/*/xsltConf.sh usr/bin/xslt-config usr/share/doc/libxslt1-dev usr/share/aclocal debian/libxslt1.1.install0000664000000000000000000000005713454135077012474 0ustar usr/lib/*/libexslt.so.* usr/lib/*/libxslt.so.* debian/python-libxslt1-dbg.preinst0000664000000000000000000000022613454135077014422 0ustar #!/bin/sh set -e [ "$1" = "upgrade" ] && [ -L /usr/share/doc/python-libxslt1-dbg ] && rm -f /usr/share/doc/python-libxslt1-dbg #DEBHELPER# exit 0 debian/compat0000664000000000000000000000000213454135077010377 0ustar 9 debian/TODO0000664000000000000000000000165613454135077007701 0ustar ------------------------------------------------------------------------------ To do list for libxslt ------------------------------------------------------------------------------ BUGS: ------------------------------------------------------------------------------ Number Description ------------------------------------------------------------------------------ 200789 [m68k] Segfault building libbonoboui-docs.sgml 202425 libxslt1-dev: bad include path for libxml2 204583 libxslt1: exslt-function not working in every context 206549 Incorrect result due to computations in extended precision ------------------------------------------------------------------------------ WISHLIST: ------------------------------------------------------------------------------ Number Description ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ debian/xsltproc.manpages0000664000000000000000000000001713454135077012572 0ustar doc/xsltproc.1 debian/python-libxslt1.examples0000664000000000000000000000004613454135077014022 0ustar python/tests/*.py python/tests/test.* debian/libxslt1-dev.manpages0000664000000000000000000000007313454135077013234 0ustar debian/xslt-config.1 libexslt/libexslt.3 libxslt/libxslt.3 debian/xslt-config.10000664000000000000000000000240013454135077011514 0ustar .TH xslt-config 1 "8 March 2002" Version 1.0.0 .SH NAME xslt-config - script to get information about the installed version of libxslt .SH SYNOPSIS .B xslt-config [\-\-prefix\fI[=DIR]\fP] [\-\-libs] [\-\-cflags] [\-\-version] [\-\-help] .SH DESCRIPTION \fIxslt-config\fP is a tool that is used to determine the compile and linker flags that should be used to compile and link programs that use \fIlibxslt\fP. .SH OPTIONS \fIxslt-config\fP accepts the following options: .TP 8 .B \-\-version Print the currently installed version of \fIlibxslt\fP on the standard output. .TP 8 .B \-\-libs Print the linker flags that are necessary to link a \fIlibxslt\fP program. .TP 8 .B \-\-cflags Print the compiler flags that are necessary to compile a \fIlibxslt\fP program. .TP 8 .B \-\-prefix=PREFIX If specified, use PREFIX instead of the installation prefix that \fIlibxslt\fP was built with when computing the output for the \-\-cflags and \-\-libs options. This option must be specified before any \-\-libs or \-\-cflags options. .SH AUTHOR This manual page was adapted from the xml-config by Will Newton . The xml-config manual page was written by Fredrik Hallenberg , for the Debian GNU/linux system (but may be used by others). debian/python-libxslt1-dbg.lintian-overrides0000664000000000000000000000006413454135077016374 0ustar python-libxslt1-dbg: hardening-no-fortify-functions debian/patches/0000775000000000000000000000000013454143166010626 5ustar debian/patches/CVE-2019-11068.patch0000664000000000000000000000773213454143166013343 0ustar From e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Sun, 24 Mar 2019 09:51:39 +0100 Subject: [PATCH] Fix security framework bypass xsltCheckRead and xsltCheckWrite return -1 in case of error but callers don't check for this condition and allow access. With a specially crafted URL, xsltCheckRead could be tricked into returning an error because of a supposedly invalid URL that would still be loaded succesfully later on. Fixes #12. Thanks to Felix Wilhelm for the report. --- libxslt/documents.c | 18 ++++++++++-------- libxslt/imports.c | 9 +++++---- libxslt/transform.c | 9 +++++---- libxslt/xslt.c | 9 +++++---- 4 files changed, 25 insertions(+), 20 deletions(-) Index: libxslt-1.1.28/libxslt/documents.c =================================================================== --- libxslt-1.1.28.orig/libxslt/documents.c +++ libxslt-1.1.28/libxslt/documents.c @@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr int res; res = xsltCheckRead(ctxt->sec, ctxt, URI); - if (res == 0) { - xsltTransformError(ctxt, NULL, NULL, - "xsltLoadDocument: read rights for %s denied\n", - URI); + if (res <= 0) { + if (res == 0) + xsltTransformError(ctxt, NULL, NULL, + "xsltLoadDocument: read rights for %s denied\n", + URI); return(NULL); } } @@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr int res; res = xsltCheckRead(sec, NULL, URI); - if (res == 0) { - xsltTransformError(NULL, NULL, NULL, - "xsltLoadStyleDocument: read rights for %s denied\n", - URI); + if (res <= 0) { + if (res == 0) + xsltTransformError(NULL, NULL, NULL, + "xsltLoadStyleDocument: read rights for %s denied\n", + URI); return(NULL); } } Index: libxslt-1.1.28/libxslt/imports.c =================================================================== --- libxslt-1.1.28.orig/libxslt/imports.c +++ libxslt-1.1.28/libxslt/imports.c @@ -131,10 +131,11 @@ xsltParseStylesheetImport(xsltStylesheet int secres; secres = xsltCheckRead(sec, NULL, URI); - if (secres == 0) { - xsltTransformError(NULL, NULL, NULL, - "xsl:import: read rights for %s denied\n", - URI); + if (secres <= 0) { + if (secres == 0) + xsltTransformError(NULL, NULL, NULL, + "xsl:import: read rights for %s denied\n", + URI); goto error; } } Index: libxslt-1.1.28/libxslt/transform.c =================================================================== --- libxslt-1.1.28.orig/libxslt/transform.c +++ libxslt-1.1.28/libxslt/transform.c @@ -3416,10 +3416,11 @@ xsltDocumentElem(xsltTransformContextPtr */ if (ctxt->sec != NULL) { ret = xsltCheckWrite(ctxt->sec, ctxt, filename); - if (ret == 0) { - xsltTransformError(ctxt, NULL, inst, - "xsltDocumentElem: write rights for %s denied\n", - filename); + if (ret <= 0) { + if (ret == 0) + xsltTransformError(ctxt, NULL, inst, + "xsltDocumentElem: write rights for %s denied\n", + filename); xmlFree(URL); xmlFree(filename); return; Index: libxslt-1.1.28/libxslt/xslt.c =================================================================== --- libxslt-1.1.28.orig/libxslt/xslt.c +++ libxslt-1.1.28/libxslt/xslt.c @@ -6729,10 +6729,11 @@ xsltParseStylesheetFile(const xmlChar* f int res; res = xsltCheckRead(sec, NULL, filename); - if (res == 0) { - xsltTransformError(NULL, NULL, NULL, - "xsltParseStylesheetFile: read rights for %s denied\n", - filename); + if (res <= 0) { + if (res == 0) + xsltTransformError(NULL, NULL, NULL, + "xsltParseStylesheetFile: read rights for %s denied\n", + filename); return(NULL); } } debian/patches/0016-Fix-double-free-in-libexslt-hash-functions-d8862309f0.patch0000664000000000000000000000365013454135077023570 0ustar From d8862309f08054218b28e2c8f5fb3cb2f650cac7 Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Wed, 20 Apr 2016 14:35:43 +0200 Subject: [PATCH] Fix double free in libexslt hash functions Thanks to Nicolas Gregoire for the report. Fixes bug #765271: https://bugzilla.gnome.org/show_bug.cgi?id=765271 [This is likely either CVE-2016-4608 or CVE-2016-4612 -- sbeattie] --- libexslt/crypto.c | 15 +++------------ tests/exslt/crypto/hash.1.out | 2 ++ tests/exslt/crypto/hash.1.xml | 5 +++++ 3 files changed, 10 insertions(+), 12 deletions(-) diff --git a/libexslt/crypto.c b/libexslt/crypto.c index 6aa9dd2..e13db8b 100644 --- a/libexslt/crypto.c +++ b/libexslt/crypto.c @@ -499,11 +499,8 @@ exsltCryptoMd4Function (xmlXPathParserContextPtr ctxt, int nargs) { unsigned char hex[MD5_DIGEST_LENGTH * 2 + 1]; str_len = exsltCryptoPopString (ctxt, nargs, &str); - if (str_len == 0) { - xmlXPathReturnEmptyString (ctxt); - xmlFree (str); + if (str_len == 0) return; - } PLATFORM_HASH (ctxt, PLATFORM_MD4, (const char *) str, str_len, (char *) hash); @@ -532,11 +529,8 @@ exsltCryptoMd5Function (xmlXPathParserContextPtr ctxt, int nargs) { unsigned char hex[MD5_DIGEST_LENGTH * 2 + 1]; str_len = exsltCryptoPopString (ctxt, nargs, &str); - if (str_len == 0) { - xmlXPathReturnEmptyString (ctxt); - xmlFree (str); + if (str_len == 0) return; - } PLATFORM_HASH (ctxt, PLATFORM_MD5, (const char *) str, str_len, (char *) hash); @@ -565,11 +559,8 @@ exsltCryptoSha1Function (xmlXPathParserContextPtr ctxt, int nargs) { unsigned char hex[SHA1_DIGEST_LENGTH * 2 + 1]; str_len = exsltCryptoPopString (ctxt, nargs, &str); - if (str_len == 0) { - xmlXPathReturnEmptyString (ctxt); - xmlFree (str); + if (str_len == 0) return; - } PLATFORM_HASH (ctxt, PLATFORM_SHA1, (const char *) str, str_len, (char *) hash); -- 2.7.4 debian/patches/series0000664000000000000000000000172313454143166012046 0ustar 0001-patch-xslt-config-to-add-private-libraries.patch 0002-fix-autoconf-automake.patch 0003-fix-typo.patch 0004-Adding-doc-update-related-to-1.1.28.patch 0005-Fix-a-couple-of-places-where-f-printf-parameters-wer.patch 0006-Initialize-pseudo-random-number-generator-with-curre.patch 0007-EXSLT-function-str-replace-is-broken-as-is.patch 0008-Fix-quoting-of-xlocale-test-program-in-configure.in.patch 0009-CVE-2015-7995.patch 0010-CVE-2016-1683.patch 0011-CVE-2016-1684-1.patch 0012-CVE-2016-1684-2.patch 0013-CVE-2016-1841.patch 0014-CVE-2016-4738.patch 0015-CVE-2017-5029.patch 0016-Fix-double-free-in-libexslt-hash-functions-d8862309f0.patch 0017-Fix-error-handling-in-Saxon-extension-functions-ef7429bb4.patch 0018-Fix-dyn-map-with-namespace-nodes-93bb3147.patch 0019-Fix-saxon-line-number-with-namespace-nodes-8b90c9a6.patch 0020-Fix-buffer-overflow-in-exsltDateFormat-5d0c6565b.patch 0021-Fix-OOB-heap-read-in-xsltExtModuleRegisterDynamic-87c3d9ea.patch CVE-2019-11068.patch debian/patches/0006-Initialize-pseudo-random-number-generator-with-curre.patch0000664000000000000000000000406113454135077024452 0ustar From: Nils Werner Date: Thu, 24 Jan 2013 18:44:03 +0000 Subject: Initialize pseudo random number generator with current time or optional command line parameter --- xsltproc/xsltproc.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/xsltproc/xsltproc.c b/xsltproc/xsltproc.c index 33beddf..7d1fe61 100644 --- a/xsltproc/xsltproc.c +++ b/xsltproc/xsltproc.c @@ -514,6 +514,7 @@ static void usage(const char *name) { printf("\t--maxdepth val : increase the maximum depth (default %d)\n", xsltMaxDepth); printf("\t--maxvars val : increase the maximum variables (default %d)\n", xsltMaxVars); printf("\t--maxparserdepth val : increase the maximum parser depth\n"); + printf("\t--seed-rand val : initialize pseudo random number generator with specific seed\n"); #ifdef LIBXML_HTML_ENABLED printf("\t--html: the input document is(are) an HTML file(s)\n"); #endif @@ -556,6 +557,7 @@ main(int argc, char **argv) return (1); } + srand(time(NULL)); xmlInitMemory(); LIBXML_TEST_VERSION @@ -750,6 +752,15 @@ main(int argc, char **argv) if (value > 0) xmlParserMaxDepth = value; } + } else if ((!strcmp(argv[i], "-seed-rand")) || + (!strcmp(argv[i], "--seed-rand"))) { + int value; + + i++; + if (sscanf(argv[i], "%d", &value) == 1) { + if (value > 0) + srand(value); + } } else if ((!strcmp(argv[i],"-dumpextensions"))|| (!strcmp(argv[i],"--dumpextensions"))) { dumpextensions++; @@ -786,6 +797,10 @@ main(int argc, char **argv) (!strcmp(argv[i], "--maxparserdepth"))) { i++; continue; + } else if ((!strcmp(argv[i], "-seed-rand")) || + (!strcmp(argv[i], "--seed-rand"))) { + i++; + continue; } else if ((!strcmp(argv[i], "-o")) || (!strcmp(argv[i], "-output")) || (!strcmp(argv[i], "--output"))) { debian/patches/0014-CVE-2016-4738.patch0000664000000000000000000000171713454135077013647 0ustar commit eb1030de31165b68487f288308f9d1810fed6880 Author: Nick Wellnhofer Date: Fri Jun 10 14:23:58 2016 +0200 Fix heap overread in xsltFormatNumberConversion An empty decimal-separator could cause a heap overread. This can be exploited to leak a couple of bytes after the buffer that holds the pattern string. Found with afl-fuzz and ASan. CVE-2016-4738 diff --git a/libxslt/numbers.c b/libxslt/numbers.c index d1549b4..e78c46b 100644 --- a/libxslt/numbers.c +++ b/libxslt/numbers.c @@ -1090,7 +1090,8 @@ xsltFormatNumberConversion(xsltDecimalFormatPtr self, } /* We have finished the integer part, now work on fraction */ - if (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) { + if ( (*the_format != 0) && + (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) ) { format_info.add_decimal = TRUE; the_format += xsltUTF8Size(the_format); /* Skip over the decimal */ } debian/patches/0011-CVE-2016-1684-1.patch0000664000000000000000000000331313454135077013771 0ustar commit 91d0540ac9beaa86719a05b749219a69baa0dd8d Author: Nick Wellnhofer Date: Sun Apr 10 13:12:28 2016 +0200 Lower and upper bound for format token "i" Handle xsl:number with format "i" and value 0 according to XSLT 2.0. Also introduce an upper bound to fix a denial of service. Index: libxslt-1.1.28/libxslt/numbers.c =================================================================== --- libxslt-1.1.28.orig/libxslt/numbers.c +++ libxslt-1.1.28/libxslt/numbers.c @@ -253,11 +253,24 @@ xsltNumberFormatAlpha(xmlBufferPtr buffe } static void -xsltNumberFormatRoman(xmlBufferPtr buffer, +xsltNumberFormatRoman(xsltNumberDataPtr data, + xmlBufferPtr buffer, double number, int is_upper) { /* + * See discussion in xsltNumberFormatAlpha. Also use a reasonable upper + * bound to avoid denial of service. + */ + if (number < 1.0 || number > 5000.0) { + xsltNumberFormatDecimal(buffer, number, '0', 1, + data->digitsPerGroup, + data->groupingCharacter, + data->groupingCharacterLen); + return; + } + + /* * Based on an example by Jim Walsh */ while (number >= 1000.0) { @@ -495,16 +508,10 @@ xsltNumberFormatInsertNumbers(xsltNumber break; case 'I': - xsltNumberFormatRoman(buffer, - number, - TRUE); - + xsltNumberFormatRoman(data, buffer, number, TRUE); break; case 'i': - xsltNumberFormatRoman(buffer, - number, - FALSE); - + xsltNumberFormatRoman(data, buffer, number, FALSE); break; default: if (IS_DIGIT_ZERO(token->token)) { debian/patches/0002-fix-autoconf-automake.patch0000664000000000000000000000300513454135077016434 0ustar From: Aron Xu Date: Wed, 3 Oct 2012 00:50:32 +0800 Subject: fix autoconf automake --- configure.in | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/configure.in b/configure.in index fc8d5a8..767e980 100644 --- a/configure.in +++ b/configure.in @@ -84,7 +84,7 @@ VERSION=${LIBXSLT_VERSION} AM_INIT_AUTOMAKE($PACKAGE, $VERSION) -# AM_MAINTAINER_MODE +AM_MAINTAINER_MODE # Support silent build rules, requires at least automake-1.11. Disable # by either passing --disable-silent-rules to configure or passing V=1 @@ -460,6 +460,7 @@ else WITH_DEBUGGER=1 AC_DEFINE([WITH_DEBUGGER],[], [Define if debugging support is enabled]) fi +AM_CONDITIONAL(WITH_DEBUGGER, test "${WITH_DEBUGGER}" = "1") AC_SUBST(WITH_DEBUGGER) dnl @@ -649,14 +650,14 @@ AC_SUBST(PYTHON_SITE_PACKAGES) XSLT_LIBDIR='-L${libdir}' XSLT_INCLUDEDIR='-I${includedir}' -XSLT_LIBS="-lxslt $LIBXML_LIBS $M_LIBS" +XSLT_LIBS="-lxslt $LIBXML_LIBS" AC_SUBST(XSLT_LIBDIR) AC_SUBST(XSLT_INCLUDEDIR) AC_SUBST(XSLT_LIBS) EXSLT_LIBDIR='-L${libdir}' EXSLT_INCLUDEDIR='-I${includedir}' -EXSLT_LIBS="-lexslt $XSLT_LIBS $LIBGCRYPT_LIBS" +EXSLT_LIBS="-lexslt $XSLT_LIBS" AC_SUBST(EXSLT_LIBDIR) AC_SUBST(EXSLT_INCLUDEDIR) AC_SUBST(EXSLT_LIBS) @@ -669,7 +670,7 @@ dnl for the spec file RELDATE=`date +'%a %b %e %Y'` AC_SUBST(RELDATE) -rm -f COPYING.LIB COPYING 2>/dev/null && $LN_S $srcdir/Copyright COPYING +#rm -f COPYING.LIB COPYING 2>/dev/null && $LN_S $srcdir/Copyright COPYING AC_CONFIG_FILES([ debian/patches/0001-patch-xslt-config-to-add-private-libraries.patch0000664000000000000000000000451513454135077022356 0ustar From: Aron Xu Date: Wed, 3 Oct 2012 00:46:34 +0800 Subject: patch xslt-config to add private libraries --- libexslt.pc.in | 1 + libxslt.pc.in | 1 + xslt-config.in | 14 ++++++++++++-- 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/libexslt.pc.in b/libexslt.pc.in index 16676ff..2f6378f 100644 --- a/libexslt.pc.in +++ b/libexslt.pc.in @@ -9,4 +9,5 @@ Version: @LIBEXSLT_VERSION@ Description: EXSLT Extension library Requires: libxml-2.0 Libs: @EXSLT_LIBDIR@ @EXSLT_LIBS@ +Libs.private: @M_LIBS@ @LIBGCRYPT_LIBS@ Cflags: @EXSLT_INCLUDEDIR@ diff --git a/libxslt.pc.in b/libxslt.pc.in index 082d64c..ccd6e77 100644 --- a/libxslt.pc.in +++ b/libxslt.pc.in @@ -9,4 +9,5 @@ Version: @VERSION@ Description: XSLT library version 2. Requires: libxml-2.0 Libs: @XSLT_LIBDIR@ @XSLT_LIBS@ @EXTRA_LIBS@ +Libs.private: @M_LIBS@ Cflags: @XSLT_INCLUDEDIR@ diff --git a/xslt-config.in b/xslt-config.in index 45c3e28..826a0a8 100644 --- a/xslt-config.in +++ b/xslt-config.in @@ -4,7 +4,6 @@ prefix=@prefix@ exec_prefix=@exec_prefix@ exec_prefix_set=no includedir=@includedir@ -libdir=@libdir@ usage() { @@ -16,6 +15,7 @@ Known values for OPTION are: --prefix=DIR change XSLT prefix [default $prefix] --exec-prefix=DIR change XSLT executable prefix [default $exec_prefix] --libs print library linking information + add --static to print static library linking information --cflags print pre-processor and compiler flags --plugins print plugin directory --help display this help and exit @@ -31,6 +31,7 @@ fi cflags=false libs=false +static=false while test $# -gt 0; do case "$1" in @@ -79,6 +80,11 @@ while test $# -gt 0; do --libs) libs=true + if [ "$2" = "--static" ] + then + shift + static=true + fi ;; *) @@ -89,7 +95,7 @@ while test $# -gt 0; do shift done -the_libs="@XSLT_LIBDIR@ @XSLT_LIBS@ @EXTRA_LIBS@" +the_libs="@XSLT_LIBS@" if test "$includedir" != "/usr/include"; then the_flags="$the_flags -I$includedir `@XML_CONFIG@ --cflags`" else @@ -100,6 +106,10 @@ if $cflags; then all_flags="$the_flags" fi +if $static; then + the_libs="$the_libs @M_LIBS@ `@XML_CONFIG@ --libs --static`" +fi + if $libs; then all_flags="$all_flags $services $the_libs" fi debian/patches/0017-Fix-error-handling-in-Saxon-extension-functions-ef7429bb4.patch0000664000000000000000000002222113454135077024714 0ustar From ef7429bb4f1433726cc8fc4fe3d134d8a439fab1 Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Tue, 26 Apr 2016 15:36:48 +0200 Subject: [PATCH] Fix error handling in Saxon extension functions The old code could lead to a NULL pointer dereference. - Set XPath error if saxon:expression can't compile an expression. - Check return value in saxon:eval. Add first tests for Saxon extension functions. Found with afl-fuzz and ASan. [This is possibly either CVE-2016-4607, CVE-2016-4609, or CVE-2016-4610. Adjusted Makefile.am change and dropped win32 test changes. --sbeattie] --- configure.in | 1 + libexslt/saxon.c | 8 +++++--- tests/exslt/Makefile.am | 2 +- tests/exslt/saxon/Makefile.am | 48 +++++++++++++++++++++++++++++++++++++++++++ tests/exslt/saxon/eval.1.out | 4 ++++ tests/exslt/saxon/eval.1.xml | 3 +++ tests/exslt/saxon/eval.1.xsl | 22 ++++++++++++++++++++ tests/exslt/saxon/eval.2.err | 7 +++++++ tests/exslt/saxon/eval.2.out | 2 ++ tests/exslt/saxon/eval.2.xml | 1 + tests/exslt/saxon/eval.2.xsl | 16 +++++++++++++++ tests/exslt/saxon/eval.3.err | 6 ++++++ tests/exslt/saxon/eval.3.out | 2 ++ tests/exslt/saxon/eval.3.xml | 1 + tests/exslt/saxon/eval.3.xsl | 16 +++++++++++++++ win32/runtests.py | 3 +++ 16 files changed, 138 insertions(+), 4 deletions(-) create mode 100644 tests/exslt/saxon/Makefile.am create mode 100644 tests/exslt/saxon/eval.1.out create mode 100644 tests/exslt/saxon/eval.1.xml create mode 100644 tests/exslt/saxon/eval.1.xsl create mode 100644 tests/exslt/saxon/eval.2.err create mode 100644 tests/exslt/saxon/eval.2.out create mode 100644 tests/exslt/saxon/eval.2.xml create mode 100644 tests/exslt/saxon/eval.2.xsl create mode 100644 tests/exslt/saxon/eval.3.err create mode 100644 tests/exslt/saxon/eval.3.out create mode 100644 tests/exslt/saxon/eval.3.xml create mode 100644 tests/exslt/saxon/eval.3.xsl diff --git a/configure.in b/configure.in index fee676f..7e03d11 100644 --- a/configure.in +++ b/configure.in @@ -716,6 +716,7 @@ tests/exslt/Makefile tests/exslt/common/Makefile tests/exslt/functions/Makefile tests/exslt/math/Makefile +tests/exslt/saxon/Makefile tests/exslt/sets/Makefile tests/exslt/strings/Makefile tests/exslt/date/Makefile diff --git a/libexslt/saxon.c b/libexslt/saxon.c index e92ba8d..491b31b 100644 --- a/libexslt/saxon.c +++ b/libexslt/saxon.c @@ -101,9 +101,7 @@ exsltSaxonExpressionFunction (xmlXPathParserContextPtr ctxt, int nargs) { ret = xmlXPathCompile(arg); if (ret == NULL) { xmlFree(arg); - xsltGenericError(xsltGenericErrorContext, - "{%s}:%s: argument is not an XPath expression\n", - ctxt->context->functionURI, ctxt->context->function); + xmlXPathSetError(ctxt, XPATH_EXPR_ERROR); return; } xmlHashAddEntry(hash, arg, (void *) ret); @@ -147,6 +145,10 @@ exsltSaxonEvalFunction (xmlXPathParserContextPtr ctxt, int nargs) { expr = (xmlXPathCompExprPtr) xmlXPathPopExternal(ctxt); ret = xmlXPathCompiledEval(expr, ctxt->context); + if (ret == NULL) { + xmlXPathSetError(ctxt, XPATH_EXPR_ERROR); + return; + } valuePush(ctxt, ret); } diff --git a/tests/exslt/Makefile.am b/tests/exslt/Makefile.am index f749efd..aeb58c1 100644 --- a/tests/exslt/Makefile.am +++ b/tests/exslt/Makefile.am @@ -1,6 +1,6 @@ ## Process this file with automake to produce Makefile.in -SUBDIRS=common functions math sets strings dynamic date +SUBDIRS=common functions math saxon sets strings dynamic date test tests: @(cur=`pwd` ; for dir in $(SUBDIRS) ; do cd $$dir ; $(MAKE) CHECKER='$(CHECKER)' tests ; cd $$cur ; done) diff --git a/tests/exslt/saxon/Makefile.am b/tests/exslt/saxon/Makefile.am new file mode 100644 index 0000000..8535633 --- /dev/null +++ b/tests/exslt/saxon/Makefile.am @@ -0,0 +1,48 @@ +## Process this file with automake to produce Makefile.in + +$(top_builddir)/xsltproc/xsltproc: + @(cd ../../../xsltproc ; $(MAKE) xsltproc) + +EXTRA_DIST = \ + eval.1.out eval.1.xml eval.1.xsl \ + eval.2.out eval.2.xml eval.2.xsl \ + eval.3.out eval.3.xml eval.3.xsl + +CLEANFILES = .memdump + +valgrind: + @echo '## Running the regression tests under Valgrind' + $(MAKE) CHECKER='libtool --mode=execute valgrind -q --leak-check=full' tests + +test tests: $(top_builddir)/xsltproc/xsltproc + @echo '## Running exslt saxon tests' + @(echo > .memdump) + @(for i in $(srcdir)/*.xsl ; do \ + name=`basename $$i .xsl` ; \ + if [ ! -f $(srcdir)/$$name.xml ] ; then continue ; fi ; \ + log=`$(CHECKER) $(top_builddir)/xsltproc/xsltproc \ + $(srcdir)/$$name.xsl $(srcdir)/$$name.xml > $$name.res 2>$$name.bad;\ + if [ ! -f $(srcdir)/$$name.out ] ; then \ + cp $$name.res $(srcdir)/$$name.out ; \ + if [ -s $$name.bad ] ; then \ + mv $$name.bad $(srcdir)/$$name.err ; \ + fi ; \ + else \ + if [ ! -s $$name.res ] ; then \ + echo "Fatal error, no $$name.res\n" ; \ + else \ + diff $(srcdir)/$$name.out $$name.res ; \ + if [ -s $(srcdir)/$$name.err ] ; then \ + diff $(srcdir)/$$name.err $$name.bad; \ + else \ + diff /dev/null $$name.bad; \ + fi ; \ + fi ; \ + fi; \ + grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0" || true`;\ + if [ -n "$$log" ] ; then \ + echo $$name result ; \ + echo "$$log" ; \ + fi ; \ + rm -f $$name.res $$name.bad ; \ + done) diff --git a/tests/exslt/saxon/eval.1.out b/tests/exslt/saxon/eval.1.out new file mode 100644 index 0000000..7d0c03a --- /dev/null +++ b/tests/exslt/saxon/eval.1.out @@ -0,0 +1,4 @@ + + + 2 + diff --git a/tests/exslt/saxon/eval.1.xml b/tests/exslt/saxon/eval.1.xml new file mode 100644 index 0000000..651887c --- /dev/null +++ b/tests/exslt/saxon/eval.1.xml @@ -0,0 +1,3 @@ + + 1+1 + diff --git a/tests/exslt/saxon/eval.1.xsl b/tests/exslt/saxon/eval.1.xsl new file mode 100644 index 0000000..ee97a71 --- /dev/null +++ b/tests/exslt/saxon/eval.1.xsl @@ -0,0 +1,22 @@ + + + + + + + + + + + + + + + + + + diff --git a/tests/exslt/saxon/eval.2.err b/tests/exslt/saxon/eval.2.err new file mode 100644 index 0000000..df8adfb --- /dev/null +++ b/tests/exslt/saxon/eval.2.err @@ -0,0 +1,7 @@ +XPath error : Invalid expression +### +^ +XPath error : Invalid expression +xmlXPathCompiledEval: evaluation failed +runtime error: file ./eval.2.xsl line 11 element value-of +XPath evaluation returned no result. diff --git a/tests/exslt/saxon/eval.2.out b/tests/exslt/saxon/eval.2.out new file mode 100644 index 0000000..3048a90 --- /dev/null +++ b/tests/exslt/saxon/eval.2.out @@ -0,0 +1,2 @@ + + diff --git a/tests/exslt/saxon/eval.2.xml b/tests/exslt/saxon/eval.2.xml new file mode 100644 index 0000000..69d62f2 --- /dev/null +++ b/tests/exslt/saxon/eval.2.xml @@ -0,0 +1 @@ + diff --git a/tests/exslt/saxon/eval.2.xsl b/tests/exslt/saxon/eval.2.xsl new file mode 100644 index 0000000..a193fdd --- /dev/null +++ b/tests/exslt/saxon/eval.2.xsl @@ -0,0 +1,16 @@ + + + + + + + + + + + + diff --git a/tests/exslt/saxon/eval.3.err b/tests/exslt/saxon/eval.3.err new file mode 100644 index 0000000..5a87793 --- /dev/null +++ b/tests/exslt/saxon/eval.3.err @@ -0,0 +1,6 @@ +XPath error : Undefined namespace prefix +xmlXPathCompiledEval: evaluation failed +XPath error : Invalid expression +xmlXPathCompiledEval: evaluation failed +runtime error: file ./eval.3.xsl line 11 element value-of +XPath evaluation returned no result. diff --git a/tests/exslt/saxon/eval.3.out b/tests/exslt/saxon/eval.3.out new file mode 100644 index 0000000..3048a90 --- /dev/null +++ b/tests/exslt/saxon/eval.3.out @@ -0,0 +1,2 @@ + + diff --git a/tests/exslt/saxon/eval.3.xml b/tests/exslt/saxon/eval.3.xml new file mode 100644 index 0000000..69d62f2 --- /dev/null +++ b/tests/exslt/saxon/eval.3.xml @@ -0,0 +1 @@ + diff --git a/tests/exslt/saxon/eval.3.xsl b/tests/exslt/saxon/eval.3.xsl new file mode 100644 index 0000000..5f75f3c --- /dev/null +++ b/tests/exslt/saxon/eval.3.xsl @@ -0,0 +1,16 @@ + + + + + + + + + + + + -- 2.7.4 debian/patches/0015-CVE-2017-5029.patch0000664000000000000000000000451513454135077013642 0ustar commit 08ab2774b870de1c7b5a48693df75e8154addae5 Author: Nick Wellnhofer Date: Thu Jan 12 15:39:52 2017 +0100 Check for integer overflow in xsltAddTextString Limit buffer size in xsltAddTextString to INT_MAX. The issue can be exploited to trigger an out of bounds write on 64-bit systems. Originally reported to Chromium: https://crbug.com/676623 CVE-2017-5029 diff --git a/libxslt/transform.c b/libxslt/transform.c index 519133f..02bff34 100644 --- a/libxslt/transform.c +++ b/libxslt/transform.c @@ -813,13 +813,32 @@ xsltAddTextString(xsltTransformContextPtr ctxt, xmlNodePtr target, return(target); if (ctxt->lasttext == target->content) { + int minSize; - if (ctxt->lasttuse + len >= ctxt->lasttsize) { + /* Check for integer overflow accounting for NUL terminator. */ + if (len >= INT_MAX - ctxt->lasttuse) { + xsltTransformError(ctxt, NULL, target, + "xsltCopyText: text allocation failed\n"); + return(NULL); + } + minSize = ctxt->lasttuse + len + 1; + + if (ctxt->lasttsize < minSize) { xmlChar *newbuf; int size; + int extra; + + /* Double buffer size but increase by at least 100 bytes. */ + extra = minSize < 100 ? 100 : minSize; + + /* Check for integer overflow. */ + if (extra > INT_MAX - ctxt->lasttsize) { + size = INT_MAX; + } + else { + size = ctxt->lasttsize + extra; + } - size = ctxt->lasttsize + len + 100; - size *= 2; newbuf = (xmlChar *) xmlRealloc(target->content,size); if (newbuf == NULL) { xsltTransformError(ctxt, NULL, target, diff --git a/libxslt/xsltInternals.h b/libxslt/xsltInternals.h index 060b178..5ad1771 100644 --- a/libxslt/xsltInternals.h +++ b/libxslt/xsltInternals.h @@ -1754,8 +1754,8 @@ struct _xsltTransformContext { * Speed optimization when coalescing text nodes */ const xmlChar *lasttext; /* last text node content */ - unsigned int lasttsize; /* last text node size */ - unsigned int lasttuse; /* last text node use */ + int lasttsize; /* last text node size */ + int lasttuse; /* last text node use */ /* * Per Context Debugging */ debian/patches/0009-CVE-2015-7995.patch0000664000000000000000000000207213454135077013655 0ustar From 7ca19df892ca22d9314e95d59ce2abdeff46b617 Mon Sep 17 00:00:00 2001 From: Daniel Veillard Date: Thu, 29 Oct 2015 19:33:23 +0800 Subject: [PATCH] Fix for type confusion in preprocessing attributes CVE-2015-7995 http://www.openwall.com/lists/oss-security/2015/10/27/10 We need to check that the parent node is an element before dereferencing its namespace --- libxslt/preproc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libxslt/preproc.c b/libxslt/preproc.c index 0eb80a0..7f69325 100644 --- a/libxslt/preproc.c +++ b/libxslt/preproc.c @@ -2249,7 +2249,8 @@ xsltStylePreCompute(xsltStylesheetPtr style, xmlNodePtr inst) { } else if (IS_XSLT_NAME(inst, "attribute")) { xmlNodePtr parent = inst->parent; - if ((parent == NULL) || (parent->ns == NULL) || + if ((parent == NULL) || + (parent->type != XML_ELEMENT_NODE) || (parent->ns == NULL) || ((parent->ns != inst->ns) && (!xmlStrEqual(parent->ns->href, inst->ns->href))) || (!xmlStrEqual(parent->name, BAD_CAST "attribute-set"))) { -- 2.7.4 debian/patches/0004-Adding-doc-update-related-to-1.1.28.patch0000664000000000000000000003647013454135077020240 0ustar From: Daniel Veillard Date: Wed, 21 Nov 2012 07:36:11 +0000 Subject: Adding doc update related to 1.1.28 --- NEWS | 23 +++++++++++++++ doc/libxslt.xsa | 87 ++++++++++++++++++++++++++++++++++++++++++++++++++----- doc/news.html | 25 +++++++++++++++- doc/xslt.html | 25 ++++++++++++++++ 4 files changed, 152 insertions(+), 8 deletions(-) diff --git a/NEWS b/NEWS index cbc1c5e..ff65b6a 100644 --- a/NEWS +++ b/NEWS @@ -8,6 +8,29 @@ See the git page at http://git.gnome.org/browse/libxslt/ to get a description of the recent commits.Those are the public releases made: +1.1.28: Nov 21 2012: + - Portability: + Fix python build by using libxsltmod_la_CPPFLAGS instead of AM_CPPFLAGS (Alexandre Rostovtsev), + configure should be more careful with linker script (Igor Pashev), + add gcrypt library in LIBADD, not LDFLAGS, as recommended (Roumen Petrov) + + - Bug fixes: + Fix generate-id() to avoid generating the same ID (Stewart Brodie), + Fix crash with empty xsl:key/@match attribute (Nick Wellnhofer), + Crash when passing an uninitialized variable to document() (Nick Wellnhofer), + Add missing test docs to EXTRA_DIST (Nick Wellnhofer), + Fix regression: Default namespace not correctly used (Nick Wellnhofer) + + - Cleanups: + Remove xsltTransStorageAdd and xsltTransStorageRemove from symbols.xml (Daniel Veillard), + autogen.sh cleanup (Daniel Richard), + consistent use of xslt processor (Roumen Petrov), + Add object files in tests/plugins to .gitignore (Nick Wellnhofer), + Fix error on bug-165 regression test (Daniel Veillard), + Remove xsltTransStorageAdd and xsltTransStorageRemove (Daniel Veillard), + + + 1.1.27: Sep 12 2012: - Portability: xincludestyle wasn't protected with LIBXML_XINCLUDE_ENABLED (Michael Bonfils), diff --git a/doc/libxslt.xsa b/doc/libxslt.xsa index ad3aaf2..04d8c0d 100644 --- a/doc/libxslt.xsa +++ b/doc/libxslt.xsa @@ -8,16 +8,89 @@ libxslt - 1.1.26 - Sep 24 2009 + 1.1.27 + Sep 12 2012 http://xmlsoft.org/XSLT/ - - Improvement: - Add xsltProcessOneNode to exported symbols for lxml (Daniel Veillard) + - Portability: + xincludestyle wasn't protected with LIBXML_XINCLUDE_ENABLED (Michael Bonfils), + Portability fix for testThreads.c (IlyaS), + FreeBSD portability fixes (Pedro F. Giffuni), + check for gmtime - on mingw* hosts will enable date-time function (Roumen Petrov), + use only native crypto-API for mingw* hosts (Roumen Petrov), + autogen: Only check for libtoolize (Colin Walters), + minimal mingw support (Roumen Petrov), + configure: acconfig.h is deprecated since autoconf-2.50 (Stefan Kost), + Fix a small out of tree compilation issue (Hao Hu), + Fix python generator to not use deprecated xmllib (Daniel Veillard), + link python module with python library (Frederic Crozat) + + - Documentation: + Tiny doc improvement (Daniel Veillard), + Various documentation fixes for docs on internals (C. M. Sperberg-McQueen) - Bug fixes: - Fix an idness generation problem (Daniel Veillard), - 595612 Try to fix some locking problems (Daniel Veillard), - Fix a crash on misformed imported stylesheets (Daniel Veillard) + Report errors on variable use in key (Daniel Veillard), + The XSLT namespace string is a constant one (Daniel Veillard), + Fix handling of names in xsl:attribute (Nick Wellnhofer), + Reserved namespaces in xsl:element and xsl:attribute (Nick Wellnhofer), + Null-terminate result string of cry:rc4_decrypt (Nick Wellnhofer), + EXSLT date normalization fix (James Muscat), + Exit after compilation of invalid func:result (Nick Wellnhofer), + Fix for EXSLT func:function (Nick Wellnhofer), + Rewrite EXSLT string:replace to be conformant (Nick Wellnhofer), + Avoid a heap use after free error (Chris Evans), + Fix a dictionary string usage (Chris Evans), + Output should not include extraneous newlines when indent is off (Laurence Rowe), + document('') fails to return stylesheets parsed from memory (Jason Viers), + xsltproc should return an error code if xinclude fails (Malcolm Purvis), + Forwards-compatible processing of unknown top level elements (Nick Wellnhofer), + Fix system-property with unknown namespace (Nick Wellnhofer), + Hardening of code checking node types in EXSLT (Daniel Veillard), + Hardening of code checking node types in various entry point (Daniel Veillard), + Cleanup of the pattern compilation code (Daniel Veillard), + Fix default template processing on namespace nodes (Daniel Veillard), + Fix a bug in selecting XSLT elements (Daniel Veillard), + Fixed bug #616839 (Daniel Mustieles), + Fix some case of pattern parsing errors (Abhishek Arya), + preproc: fix the build (Stefan Kost), + Fix a memory leak with xsl:number (Daniel Veillard), + Fix a problem with ESXLT date:add() with January (money_seshu Dronamraju), + Fix a memory leak if compiled with Windows locale support (Daniel Veillard), + Fix generate-id() to not expose object addresses (Daniel Veillard), + Fix curlies support in literals for non-compiled AVTs (Nick Wellnhofer), + Allow whitespace in xsl:variable with select (Nick Wellnhofer), + Small fixes to locale code (Nick Wellnhofer), + Fix bug 602515 (Nick Wellnhofer), + Fix popping of vars in xsltCompilerNodePop (Nick Wellnhofer), + Fix direct pattern matching bug (Nick Wellnhofer) + + - Improvements: + Add the saxon:systemId extension (Mike Hommey), + Add an append mode to document output (Daniel Veillard), + Add new tests to EXTRA_DIST (Nick Wellnhofer), + Test for bug #680920 (Nick Wellnhofer), + fix regresson in Various "make distcheck" and other fixes (Roumen Petrov), + Various "make distcheck" and other fixes (Daniel Richard G), + Fix portability to upcoming libxml2-2.9.0 (Daniel Veillard), + Adding --system flag support to autogen.sh (Daniel Veillard), + Allow per-context override of xsltMaxDepth, introduce xsltMaxVars (Jérôme Carretero), + autogen.sh: Honor NOCONFIGURE environment variable (Colin Walters), + configure: support silent automake rules if possible (Stefan Kost), + Precompile patterns in xsl:number (Nick Wellnhofer), + Fix some warnings in the refactored code (Nick Wellnhofer), + Adding new generated files (Daniel Veillard), + profiling: add callgraph report (Stefan Kost) + + - Cleanups: + Big space and tabs cleanup (Daniel Veillard), + Fix authors list (Daniel Veillard), + Cleanups some of the test makefiles (Daniel Richard), + Remove .cvsignore files which are not needed anymore (Daniel Veillard), + Cleanup some misplaced spaces and tabs (Daniel Veillard), + Augment list of ignored files (Daniel Veillard), + configure: remove checks for isinf and isnan as those are not used anyway (Stefan Kost), + Point to GIT for source code and a bit of cleanup (Daniel Veillard), + Get rid of specific build setup and STATIC_BINARIES (Daniel Veillard) diff --git a/doc/news.html b/doc/news.html index 15ae10d..60d242e 100644 --- a/doc/news.html +++ b/doc/news.html @@ -9,7 +9,30 @@ H3 {font-family: Verdana,Arial,Helvetica} A:link, A:visited, A:active { text-decoration: underline } News
Action against software patentsGNOME2 LogoW3C logoRed Hat Logo
Made with Libxslt Logo

The XSLT C library for GNOME

News

Main Menu
Related links
API Indexes

See the git page -to get a description of the recent commits.

Those are the public releases made:

1.1.27: Sep 12 2012

    +to get a description of the recent commits.

    Those are the public releases made:

    1.1.28: Nov 21 2012

      +
    • Portability:
      + Fix python build by using libxsltmod_la_CPPFLAGS instead of AM_CPPFLAGS (Alexandre Rostovtsev),
      + configure should be more careful with linker script (Igor Pashev),
      + add gcrypt library in LIBADD, not LDFLAGS, as recommended (Roumen Petrov)
      +
      • + +
    • Bug fixes:
      + Fix generate-id() to avoid generating the same ID (Stewart Brodie),
      + Fix crash with empty xsl:key/@match attribute (Nick Wellnhofer),
      + Crash when passing an uninitialized variable to document() (Nick Wellnhofer),
      + Add missing test docs to EXTRA_DIST (Nick Wellnhofer),
      + Fix regression: Default namespace not correctly used (Nick Wellnhofer)
      +
      • + +
    • Cleanups:
      + Remove xsltTransStorageAdd and xsltTransStorageRemove from symbols.xml (Daniel Veillard),
      + autogen.sh cleanup (Daniel Richard),
      + consistent use of xslt processor (Roumen Petrov),
      + Add object files in tests/plugins to .gitignore (Nick Wellnhofer),
      + Fix error on bug-165 regression test (Daniel Veillard),
      + Remove xsltTransStorageAdd and xsltTransStorageRemove (Daniel Veillard),
      +
      • +

    1.1.27: Sep 12 2012

    • Portability:
      xincludestyle wasn't protected with LIBXML_XINCLUDE_ENABLED (Michael Bonfils),
      Portability fix for testThreads.c (IlyaS),
      diff --git a/doc/xslt.html b/doc/xslt.html index f7fb595..71e208f 100644 --- a/doc/xslt.html +++ b/doc/xslt.html @@ -305,6 +305,31 @@ to get a description of the recent commits.

      Those are the public releases made:

      +

      1.1.28: Nov 21 2012

      +
        +
      • Portability:
        + Fix python build by using libxsltmod_la_CPPFLAGS instead of AM_CPPFLAGS (Alexandre Rostovtsev),
        + configure should be more careful with linker script (Igor Pashev),
        + add gcrypt library in LIBADD, not LDFLAGS, as recommended (Roumen Petrov)
        +
        • + +
      • Bug fixes:
        + Fix generate-id() to avoid generating the same ID (Stewart Brodie),
        + Fix crash with empty xsl:key/@match attribute (Nick Wellnhofer),
        + Crash when passing an uninitialized variable to document() (Nick Wellnhofer),
        + Add missing test docs to EXTRA_DIST (Nick Wellnhofer),
        + Fix regression: Default namespace not correctly used (Nick Wellnhofer)
        +
        • + +
      • Cleanups:
        + Remove xsltTransStorageAdd and xsltTransStorageRemove from symbols.xml (Daniel Veillard),
        + autogen.sh cleanup (Daniel Richard),
        + consistent use of xslt processor (Roumen Petrov),
        + Add object files in tests/plugins to .gitignore (Nick Wellnhofer),
        + Fix error on bug-165 regression test (Daniel Veillard),
        + Remove xsltTransStorageAdd and xsltTransStorageRemove (Daniel Veillard),
        +
        • +

      1.1.27: Sep 12 2012

      • Portability:
        debian/patches/0019-Fix-saxon-line-number-with-namespace-nodes-8b90c9a6.patch0000664000000000000000000001214513454135077023506 0ustar From 8b90c9a699e0eaa98bbeec63a473ddc73aaa238c Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Tue, 26 Apr 2016 17:29:05 +0200 Subject: [PATCH] Fix saxon:line-number with namespace nodes exsltSaxonLineNumberFunction must make sure not to pass namespace "nodes" to xmlGetLineNo. Otherwise, an OOB heap read results which typically leads to a segfault. Found with afl-fuzz and ASan. [This is possibly either CVE-2016-4607, CVE-2016-4609, or CVE-2016-4610.] --- libexslt/saxon.c | 45 ++++++++++++++++++++++++++++-------------- tests/exslt/saxon/Makefile.am | 3 ++- tests/exslt/saxon/lineno.1.out | 6 ++++++ tests/exslt/saxon/lineno.1.xml | 9 +++++++++ tests/exslt/saxon/lineno.1.xsl | 24 ++++++++++++++++++++++ 5 files changed, 71 insertions(+), 16 deletions(-) create mode 100644 tests/exslt/saxon/lineno.1.out create mode 100644 tests/exslt/saxon/lineno.1.xml create mode 100644 tests/exslt/saxon/lineno.1.xsl diff --git a/libexslt/saxon.c b/libexslt/saxon.c index 491b31b..7a2f63b 100644 --- a/libexslt/saxon.c +++ b/libexslt/saxon.c @@ -229,11 +229,12 @@ exsltSaxonSystemIdFunction(xmlXPathParserContextPtr ctxt, int nargs) static void exsltSaxonLineNumberFunction(xmlXPathParserContextPtr ctxt, int nargs) { xmlNodePtr cur = NULL; + xmlXPathObjectPtr obj = NULL; + long lineNo = -1; if (nargs == 0) { cur = ctxt->context->node; } else if (nargs == 1) { - xmlXPathObjectPtr obj; xmlNodeSetPtr nodelist; int i; @@ -246,18 +247,14 @@ exsltSaxonLineNumberFunction(xmlXPathParserContextPtr ctxt, int nargs) { obj = valuePop(ctxt); nodelist = obj->nodesetval; - if ((nodelist == NULL) || (nodelist->nodeNr <= 0)) { - xmlXPathFreeObject(obj); - valuePush(ctxt, xmlXPathNewFloat(-1)); - return; - } - cur = nodelist->nodeTab[0]; - for (i = 1;i < nodelist->nodeNr;i++) { - int ret = xmlXPathCmpNodes(cur, nodelist->nodeTab[i]); - if (ret == -1) - cur = nodelist->nodeTab[i]; - } - xmlXPathFreeObject(obj); + if ((nodelist != NULL) && (nodelist->nodeNr > 0)) { + cur = nodelist->nodeTab[0]; + for (i = 1;i < nodelist->nodeNr;i++) { + int ret = xmlXPathCmpNodes(cur, nodelist->nodeTab[i]); + if (ret == -1) + cur = nodelist->nodeTab[i]; + } + } } else { xsltTransformError(xsltXPathGetTransformContext(ctxt), NULL, NULL, "saxon:line-number() : invalid number of args %d\n", @@ -266,8 +263,26 @@ exsltSaxonLineNumberFunction(xmlXPathParserContextPtr ctxt, int nargs) { return; } - valuePush(ctxt, xmlXPathNewFloat(xmlGetLineNo(cur))); - return; + if ((cur != NULL) && (cur->type == XML_NAMESPACE_DECL)) { + /* + * The XPath module sets the owner element of a ns-node on + * the ns->next field. + */ + cur = (xmlNodePtr) ((xmlNsPtr) cur)->next; + if (cur == NULL || cur->type != XML_ELEMENT_NODE) { + xsltGenericError(xsltGenericErrorContext, + "Internal error in exsltSaxonLineNumberFunction: " + "Cannot retrieve the doc of a namespace node.\n"); + cur = NULL; + } + } + + if (cur != NULL) + lineNo = xmlGetLineNo(cur); + + valuePush(ctxt, xmlXPathNewFloat(lineNo)); + + xmlXPathFreeObject(obj); } /** diff --git a/tests/exslt/saxon/Makefile.am b/tests/exslt/saxon/Makefile.am index 8535633..22d6b62 100644 --- a/tests/exslt/saxon/Makefile.am +++ b/tests/exslt/saxon/Makefile.am @@ -6,7 +6,8 @@ $(top_builddir)/xsltproc/xsltproc: EXTRA_DIST = \ eval.1.out eval.1.xml eval.1.xsl \ eval.2.out eval.2.xml eval.2.xsl \ - eval.3.out eval.3.xml eval.3.xsl + eval.3.out eval.3.xml eval.3.xsl \ + lineno.1.out lineno.1.xml lineno.1.xsl CLEANFILES = .memdump diff --git a/tests/exslt/saxon/lineno.1.out b/tests/exslt/saxon/lineno.1.out new file mode 100644 index 0000000..3350b08 --- /dev/null +++ b/tests/exslt/saxon/lineno.1.out @@ -0,0 +1,6 @@ + + + 1 + 8 + 8 + diff --git a/tests/exslt/saxon/lineno.1.xml b/tests/exslt/saxon/lineno.1.xml new file mode 100644 index 0000000..5b05110 --- /dev/null +++ b/tests/exslt/saxon/lineno.1.xml @@ -0,0 +1,9 @@ + + + + diff --git a/tests/exslt/saxon/lineno.1.xsl b/tests/exslt/saxon/lineno.1.xsl new file mode 100644 index 0000000..909a93e --- /dev/null +++ b/tests/exslt/saxon/lineno.1.xsl @@ -0,0 +1,24 @@ + + + + + + + + + + + + + + + + + + + + -- 2.7.4 debian/patches/0010-CVE-2016-1683.patch0000664000000000000000000001226213454135077013634 0ustar commit d182d8f6ba3071503d96ce17395c9d55871f0242 Author: Nick Wellnhofer Date: Tue Mar 22 18:20:01 2016 +0100 Fix xsltNumberFormatGetMultipleLevel Namespace nodes are actually an xmlNs, not an xmlNode. They must be special-cased in xsltNumberFormatGetMultipleLevel to avoid an out-of-bounds heap access. Move the test whether a node matches the "count" pattern to a separate function to make the code more readable. As a side effect, we also compare expanded names when walking up the ancestor axis, fixing an insignificant bug. diff --git a/libxslt/numbers.c b/libxslt/numbers.c index e3209e0..184ee6f 100644 --- a/libxslt/numbers.c +++ b/libxslt/numbers.c @@ -532,6 +532,43 @@ xsltNumberFormatInsertNumbers(xsltNumberDataPtr data, } static int +xsltTestCompMatchCount(xsltTransformContextPtr context, + xmlNodePtr node, + xsltCompMatchPtr countPat, + xmlNodePtr cur) +{ + if (countPat != NULL) { + return xsltTestCompMatchList(context, node, countPat); + } + else { + /* + * 7.7 Numbering + * + * If count attribute is not specified, then it defaults to the + * pattern that matches any node with the same node type as the + * current node and, if the current node has an expanded-name, with + * the same expanded-name as the current node. + */ + if (node->type != cur->type) + return 0; + if (node->type == XML_NAMESPACE_DECL) + /* + * Namespace nodes have no preceding siblings and no parents + * that are namespace nodes. This means that node == cur. + */ + return 1; + /* TODO: Skip node types without expanded names like text nodes. */ + if (!xmlStrEqual(node->name, cur->name)) + return 0; + if (node->ns == cur->ns) + return 1; + if ((node->ns == NULL) || (cur->ns == NULL)) + return 0; + return (xmlStrEqual(node->ns->href, cur->ns->href)); + } +} + +static int xsltNumberFormatGetAnyLevel(xsltTransformContextPtr context, xmlNodePtr node, xsltCompMatchPtr countPat, @@ -562,21 +599,8 @@ xsltNumberFormatGetAnyLevel(xsltTransformContextPtr context, while (cur != NULL) { /* process current node */ - if (countPat == NULL) { - if ((node->type == cur->type) && - /* FIXME: must use expanded-name instead of local name */ - xmlStrEqual(node->name, cur->name)) { - if ((node->ns == cur->ns) || - ((node->ns != NULL) && - (cur->ns != NULL) && - (xmlStrEqual(node->ns->href, - cur->ns->href) ))) - cnt++; - } - } else { - if (xsltTestCompMatchList(context, cur, countPat)) - cnt++; - } + if (xsltTestCompMatchCount(context, cur, countPat, node)) + cnt++; if ((fromPat != NULL) && xsltTestCompMatchList(context, cur, fromPat)) { break; /* while */ @@ -633,30 +657,18 @@ xsltNumberFormatGetMultipleLevel(xsltTransformContextPtr context, xsltTestCompMatchList(context, ancestor, fromPat)) break; /* for */ - if ((countPat == NULL && node->type == ancestor->type && - xmlStrEqual(node->name, ancestor->name)) || - xsltTestCompMatchList(context, ancestor, countPat)) { + if (xsltTestCompMatchCount(context, ancestor, countPat, node)) { /* count(preceding-sibling::*) */ - cnt = 0; - for (preceding = ancestor; + cnt = 1; + for (preceding = + xmlXPathNextPrecedingSibling(parser, ancestor); preceding != NULL; preceding = xmlXPathNextPrecedingSibling(parser, preceding)) { - if (countPat == NULL) { - if ((preceding->type == ancestor->type) && - xmlStrEqual(preceding->name, ancestor->name)){ - if ((preceding->ns == ancestor->ns) || - ((preceding->ns != NULL) && - (ancestor->ns != NULL) && - (xmlStrEqual(preceding->ns->href, - ancestor->ns->href) ))) - cnt++; - } - } else { - if (xsltTestCompMatchList(context, preceding, - countPat)) - cnt++; - } + + if (xsltTestCompMatchCount(context, preceding, countPat, + node)) + cnt++; } array[amount++] = (double)cnt; if (amount >= max) diff --git a/tests/docs/bug-186.xml b/tests/docs/bug-186.xml new file mode 100644 index 0000000..424db6b --- /dev/null +++ b/tests/docs/bug-186.xml @@ -0,0 +1,4 @@ + + + + diff --git a/tests/general/bug-186.out b/tests/general/bug-186.out new file mode 100644 index 0000000..01a59f8 --- /dev/null +++ b/tests/general/bug-186.out @@ -0,0 +1,5 @@ + + +1111 +1111 + diff --git a/tests/general/bug-186.xsl b/tests/general/bug-186.xsl new file mode 100644 index 0000000..9c491dd --- /dev/null +++ b/tests/general/bug-186.xsl @@ -0,0 +1,7 @@ + + + + + + + debian/patches/0008-Fix-quoting-of-xlocale-test-program-in-configure.in.patch0000664000000000000000000000253413454135077024115 0ustar From: Nick Wellnhofer Date: Tue, 30 Jul 2013 11:57:28 +0000 Subject: Fix quoting of xlocale test program in configure.in Double square brackets aren't needed anymore, probably due to the changes in commit a2cd8a03. --- configure.in | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/configure.in b/configure.in index 767e980..ac004fe 100644 --- a/configure.in +++ b/configure.in @@ -196,21 +196,21 @@ typedef locale_t xsltLocale; #endif ]],[[ xsltLocale locale; - const char *src[[2]] = { "\xc3\x84rger", "Zeppelin" }; - char *dst[[2]]; + const char *src[2] = { "\xc3\x84rger", "Zeppelin" }; + char *dst[2]; size_t len, r; int i; locale = newlocale(LC_COLLATE_MASK, "en_US.utf8", NULL); if (locale == NULL) exit(1); for (i=0; i<2; ++i) { - len = strxfrm_l(NULL, src[[i]], 0, locale) + 1; - dst[[i]] = malloc(len); - if(dst[[i]] == NULL) exit(1); - r = strxfrm_l(dst[[i]], src[[i]], len, locale); + len = strxfrm_l(NULL, src[i], 0, locale) + 1; + dst[i] = malloc(len); + if(dst[i] == NULL) exit(1); + r = strxfrm_l(dst[i], src[i], len, locale); if(r >= len) exit(1); } - if (strcmp(dst[[0]], dst[[1]]) >= 0) exit(1); + if (strcmp(dst[0], dst[1]) >= 0) exit(1); exit(0); return(0); debian/patches/0018-Fix-dyn-map-with-namespace-nodes-93bb3147.patch0000664000000000000000000000616413454135077021424 0ustar From 93bb314768aafaffad1df15bbee10b7c5423e283 Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Tue, 26 Apr 2016 15:39:06 +0200 Subject: [PATCH] Fix dyn:map with namespace nodes exsltDynMapFunction didn't handle namespace nodes correctly. Namespace nodes are actually an xmlNs, not an xmlNode and must be special-cased. The old code initialized the doc pointer in the XPath context struct with a value read from past the end of the xmlNs struct. Typically, this resulted in a segfault. Found with afl-fuzz and ASan. [This is possibly either CVE-2016-4607, CVE-2016-4609, or CVE-2016-4610.] --- libexslt/dynamic.c | 21 +++++++++++++++++++-- tests/exslt/dynamic/dynmap.out | 3 +++ tests/exslt/dynamic/dynmap.xsl | 3 +++ 3 files changed, 25 insertions(+), 2 deletions(-) diff --git a/libexslt/dynamic.c b/libexslt/dynamic.c index e0bfe81..7b95fc5 100644 --- a/libexslt/dynamic.c +++ b/libexslt/dynamic.c @@ -167,10 +167,27 @@ exsltDynMapFunction(xmlXPathParserContextPtr ctxt, int nargs) ctxt->context->proximityPosition = 0; for (i = 0; i < nodeset->nodeNr; i++) { xmlXPathObjectPtr subResult = NULL; + xmlNodePtr cur = nodeset->nodeTab[i]; ctxt->context->proximityPosition++; - ctxt->context->node = nodeset->nodeTab[i]; - ctxt->context->doc = nodeset->nodeTab[i]->doc; + ctxt->context->node = cur; + + if (cur->type == XML_NAMESPACE_DECL) { + /* + * The XPath module sets the owner element of a ns-node on + * the ns->next field. + */ + cur = (xmlNodePtr) ((xmlNsPtr) cur)->next; + if ((cur == NULL) || (cur->type != XML_ELEMENT_NODE)) { + xsltGenericError(xsltGenericErrorContext, + "Internal error in exsltDynMapFunction: " + "Cannot retrieve the doc of a namespace node.\n"); + continue; + } + ctxt->context->doc = cur->doc; + } else { + ctxt->context->doc = cur->doc; + } subResult = xmlXPathCompiledEval(comp, ctxt->context); if (subResult != NULL) { diff --git a/tests/exslt/dynamic/dynmap.out b/tests/exslt/dynamic/dynmap.out index b75b87c..7a900ca 100644 --- a/tests/exslt/dynamic/dynmap.out +++ b/tests/exslt/dynamic/dynmap.out @@ -38,4 +38,7 @@ without-child with-child + + dynmap + diff --git a/tests/exslt/dynamic/dynmap.xsl b/tests/exslt/dynamic/dynmap.xsl index bfcef58..40f9eaf 100644 --- a/tests/exslt/dynamic/dynmap.xsl +++ b/tests/exslt/dynamic/dynmap.xsl @@ -18,6 +18,9 @@ + + + -- 2.7.4 debian/patches/0021-Fix-OOB-heap-read-in-xsltExtModuleRegisterDynamic-87c3d9ea.patch0000664000000000000000000000232413454135077024703 0ustar From 87c3d9ea214fc0503fd8130b6dd97431d69cc066 Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Thu, 5 May 2016 15:12:48 +0200 Subject: [PATCH] Fix OOB heap read in xsltExtModuleRegisterDynamic xsltExtModuleRegisterDynamic would read a byte before the start of a string under certain circumstances. I looks like this piece code was supposed to strip characters from the end of the extension name, but it didn't have any effect. Don't read beyond the beginning of the string and actually strip unwanted characters. Found with afl-fuzz and ASan. [Possibly one of CVE-2016-4607, CVE-2016-4609, or CVE-2016-4610] --- libxslt/extensions.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libxslt/extensions.c b/libxslt/extensions.c index 5ad73cb..ae6eef0 100644 --- a/libxslt/extensions.c +++ b/libxslt/extensions.c @@ -367,8 +367,11 @@ xsltExtModuleRegisterDynamic(const xmlChar * URI) i++; } - if (*(i - 1) == '_') + /* Strip underscores from end of string. */ + while (i > ext_name && *(i - 1) == '_') { + i--; *i = '\0'; + } /* determine module directory */ ext_directory = (xmlChar *) getenv("LIBXSLT_PLUGINS_PATH"); -- 2.7.4 debian/patches/0003-fix-typo.patch0000664000000000000000000015052013454135077014013 0ustar From: Aron Xu Date: Wed, 3 Oct 2012 00:59:10 +0800 Subject: fix typo --- doc/APIchunk6.html | 2 +- doc/APIchunk8.html | 2 +- doc/EXSLT/bugs.html | 8 ++++---- doc/EXSLT/exslt.html | 8 ++++---- doc/apibuild.py | 2 +- doc/html/libxslt-extra.html | 2 +- doc/html/libxslt-imports.html | 2 +- doc/html/libxslt-xsltInternals.html | 6 +++--- doc/html/libxslt-xsltutils.html | 6 +++--- doc/libxslt-api.xml | 20 ++++++++++---------- doc/libxslt-refs.xml | 4 ++-- libexslt/exsltconfig.h.in | 2 +- libxslt/extensions.c | 2 +- libxslt/extra.c | 2 +- libxslt/imports.c | 2 +- libxslt/numbers.c | 4 ++-- libxslt/xsltInternals.h | 6 +++--- libxslt/xsltconfig.h | 4 ++-- libxslt/xsltconfig.h.in | 4 ++-- libxslt/xsltutils.c | 14 +++++++------- libxslt/xsltwin32config.h | 4 ++-- libxslt/xsltwin32config.h.in | 4 ++-- python/tests/pyxsltproc.py | 4 ++-- tests/docbook/result/fo/gdp-handbook.fo | 2 +- tests/docbook/result/html/gdp-handbook.html | 2 +- tests/docbook/result/xhtml/gdp-handbook.xhtml | 2 +- tests/docbook/test/gdp-handbook.xml | 2 +- tests/plugins/testplugin.c | 2 +- xsltproc/xsltproc.c | 2 +- 29 files changed, 63 insertions(+), 63 deletions(-) diff --git a/doc/APIchunk6.html b/doc/APIchunk6.html index 3903db1..d348c6f 100644 --- a/doc/APIchunk6.html +++ b/doc/APIchunk6.html @@ -141,7 +141,7 @@ A:link, A:visited, A:active { text-decoration: underline } xsltText
        xsltTransformFunction
        xsltValueOf
        -
        informations
        _xsltStylesheet
        +
        information
        _xsltStylesheet
        _xsltTemplate
        _xsltTransformContext
        xsltDebug
        diff --git a/doc/APIchunk8.html b/doc/APIchunk8.html index 741f7ea..4c84886 100644 --- a/doc/APIchunk8.html +++ b/doc/APIchunk8.html @@ -224,7 +224,7 @@ A:link, A:visited, A:active { text-decoration: underline } xsltIsBlank
        xsltSetCtxtSecurityPrefs
        xsltSetSecurityPrefs
        -
        ouput
        xsltFormatNumberConversion
        +
        output
        xsltFormatNumberConversion
        out
        xsltSetGenericDebugFunc
        xsltSetGenericErrorFunc
        xsltSetTransformErrorFunc
        diff --git a/doc/EXSLT/bugs.html b/doc/EXSLT/bugs.html index bdd9bc5..e7537e5 100644 --- a/doc/EXSLT/bugs.html +++ b/doc/EXSLT/bugs.html @@ -23,7 +23,7 @@ for portability problem, it makes things really harder to track and in some cases I'm not the best person to answer a given question, ask the list instead. Do not send code, I won't debug it (but patches are really appreciated!).

        Check the following too before -posting:

        • use the search engine to get informations +posting:

          • use the search engine to get information related to your problem.
          • make sure you are using a recent version, and that the problem still shows up in those
            • @@ -37,7 +37,7 @@ posting:

            • use the search engine to get logs just preceding the possible problem
            • Please send the command showing the error as well as the input and stylesheet (as an attachment)
              • -

            Then send the bug with associated informations to reproduce it to the xslt@gnome.org list; if it's really libxslt +

          Then send the bug with associated information to reproduce it to the xslt@gnome.org list; if it's really libxslt related I will approve it. Please do not send mail to me directly, it makes things really hard to track and in some cases I am not the best person to answer a given question, ask on the list.

          To be really clear about support:

          • Support or help request MUST be sent to @@ -49,8 +49,8 @@ answer a given question, ask on the list.

            To libxslt.

          • There is no garantee for support, if your question remains unanswered after a week, repost it, making sure - you gave all the detail needed and the informations requested.
            • -
          • Failing to provide informations as requested or double checking first + you gave all the detail needed and the information requested.
            • +
          • Failing to provide information as requested or double checking first for prior feedback also carries the implicit message "the time of the library maintainers is less valuable than my time" and might not be welcome.
            • diff --git a/doc/EXSLT/exslt.html b/doc/EXSLT/exslt.html index e39aba5..b14ea49 100644 --- a/doc/EXSLT/exslt.html +++ b/doc/EXSLT/exslt.html @@ -91,7 +91,7 @@ really appreciated!).

            Check the following too before posting:

            -

            Then send the bug with associated informations to reproduce it to the Then send the bug with associated information to reproduce it to the xslt@gnome.org list; if it's really libxslt related I will approve it. Please do not send mail to me directly, it makes things really hard to track and in some cases I am not the best person to @@ -125,8 +125,8 @@ answer a given question, ask on the list.

            libxslt.
          • There is no garantee for support, if your question remains unanswered after a week, repost it, making sure - you gave all the detail needed and the informations requested.
            • -
          • Failing to provide informations as requested or double checking first + you gave all the detail needed and the information requested.
            • +
          • Failing to provide information as requested or double checking first for prior feedback also carries the implicit message "the time of the library maintainers is less valuable than my time" and might not be welcome.
            • diff --git a/doc/apibuild.py b/doc/apibuild.py index df1d66b..31598bb 100755 --- a/doc/apibuild.py +++ b/doc/apibuild.py @@ -674,7 +674,7 @@ class CParser: return((args, desc)) # - # Parse a comment block and merge the informations found in the + # Parse a comment block and merge the information found in the # parameters descriptions, finally returns a block as complete # as possible # diff --git a/doc/html/libxslt-extra.html b/doc/html/libxslt-extra.html index 9e03622..9d16496 100644 --- a/doc/html/libxslt-extra.html +++ b/doc/html/libxslt-extra.html @@ -19,7 +19,7 @@ A:link, A:visited, A:active { text-decoration: underline }

            Macro: XSLT_XT_NAMESPACE

            #define XSLT_XT_NAMESPACE

            This is James Clark's XT processor namespace for extensions.

            Function: xsltDebug

            void	xsltDebug			(xsltTransformContextPtr ctxt, 
            					 xmlNodePtr node, 
            					 xmlNodePtr inst, 
            					 xsltStylePreCompPtr comp)

            Process an debug node

            -
            ctxt:an XSLT processing context
            node:The current node
            inst:the instruction in the stylesheet
            comp:precomputed informations

            Function: xsltFunctionNodeSet

            void	xsltFunctionNodeSet		(xmlXPathParserContextPtr ctxt, 
            					 int nargs)
            
+
            ctxt:an XSLT processing context
            node:The current node
            inst:the instruction in the stylesheet
            comp:precomputed information
            Function: xsltFunctionNodeSet
            void	xsltFunctionNodeSet		(xmlXPathParserContextPtr ctxt, 
            					 int nargs)
            
 
            Implement the node-set() XSLT function node-set node-set(result-tree) This function is available in libxslt, saxon or xt namespace.
            
 
            ctxt:the XPath Parser context
            nargs:the number of arguments
            Function: xsltRegisterAllExtras
            void	xsltRegisterAllExtras		(void)
            
 
            Registers the built-in extensions
            
diff --git a/doc/html/libxslt-imports.html b/doc/html/libxslt-imports.html
index 8b7de45..7dbbf9f 100644
--- a/doc/html/libxslt-imports.html
+++ b/doc/html/libxslt-imports.html
@@ -17,7 +17,7 @@ A:link, A:visited, A:active { text-decoration: underline }
 
            Macro: XSLT_GET_IMPORT_INT
            #define XSLT_GET_IMPORT_INT
            A macro to import intergers from the stylesheet cascading order.
            
 
            Macro: XSLT_GET_IMPORT_PTR
            #define XSLT_GET_IMPORT_PTR
            A macro to import pointers from the stylesheet cascading order.
            
 
            Function: xsltFindElemSpaceHandling
            int	xsltFindElemSpaceHandling	(xsltTransformContextPtr ctxt, 
            					 xmlNodePtr node)
            
-
            Find strip-space or preserve-space informations for an element respect the import precedence or the wildcards
            
+

            Find strip-space or preserve-space information for an element respect the import precedence or the wildcards

            ctxt:an XSLT transformation context
            node:an XML node
            Returns:1 if space should be stripped, 0 if not, and 2 if everything should be CDTATA wrapped.

            Function: xsltFindTemplate

            xsltTemplatePtr	xsltFindTemplate	(xsltTransformContextPtr ctxt, 
            					 const xmlChar * name, 
            					 const xmlChar * nameURI)

            Finds the named template, apply import precedence rule. REVISIT TODO: We'll change the nameURI fields of templates to be in the string dict, so if the specified @nameURI is in the same dict, then use pointer comparison. Check if this can be done in a sane way. Maybe this function is not needed internally at transformation-time if we hard-wire the called templates to the caller.

            ctxt:an XSLT transformation context
            name:the template name
            nameURI:the template name URI
            Returns:the xsltTemplatePtr or NULL if not found

            Function: xsltNeedElemSpaceHandling

            int	xsltNeedElemSpaceHandling	(xsltTransformContextPtr ctxt)
            
diff --git a/doc/html/libxslt-xsltInternals.html b/doc/html/libxslt-xsltInternals.html
index 5cd9cc3..1daac7a 100644
--- a/doc/html/libxslt-xsltInternals.html
+++ b/doc/html/libxslt-xsltInternals.html
@@ -626,7 +626,7 @@ The content of this structure is not made public by the API.
     void *	_private	: user defined data
     int	extrasNr	: the number of extras used
     int	extrasMax	: the number of extras allocated
-    xsltRuntimeExtraPtr	extras	: extra per runtime informations
+    xsltRuntimeExtraPtr	extras	: extra per runtime information
     xsltDocumentPtr	styleList	: the stylesheet docs list
     void *	sec	: the security preferences if any
     xmlGenericErrorFunc	error	: a specific error handler
@@ -689,7 +689,7 @@ void	xsltElemPreCompDeallocator	(
            ctxt:an XSLT transformation context
            obj:an XPath object to be inspected for result tree fragments
            Returns:0 in case of success and -1 in case of error.
            Function: xsltFormatNumberConversion
            xmlXPathError	xsltFormatNumberConversion	(xsltDecimalFormatPtr self, 
            						 xmlChar * format, 
            						 double number, 
            						 xmlChar ** result)
            
 
            format-number() uses the JDK 1.1 DecimalFormat class: http://java.sun.com/products/jdk/1.1/docs/api/java.text.DecimalFormat.html Structure: pattern := subpattern{;subpattern} subpattern := {prefix}integer{.fraction}{suffix} prefix := '\\u0000'..'\\uFFFD' - specialCharacters suffix := '\\u0000'..'\\uFFFD' - specialCharacters integer := '#'* '0'* '0' fraction := '0'* '#'* Notation: X* 0 or more instances of X (X | Y) either X or Y. X..Y any character from X up to Y, inclusive. S - T characters in S, except those in T Special Characters: Symbol Meaning 0 a digit # a digit, zero shows as absent . placeholder for decimal separator , placeholder for grouping separator. ; separates formats. - default negative prefix. % multiply by 100 and show as percentage ? multiply by 1000 and show as per mille X any other characters can be used in the prefix or suffix ' used to quote special characters in a prefix or suffix.
            
-
            self:the decimal format
            format:the format requested
            number:the value to format
            result:the place to ouput the result
            Returns:a possible XPath error
            Function: xsltFreeAVTList
            void	xsltFreeAVTList			(void * avt)
            
+
            self:the decimal format
            format:the format requested
            number:the value to format
            result:the place to output the result
            Returns:a possible XPath error
            Function: xsltFreeAVTList
            void	xsltFreeAVTList			(void * avt)
            
 
            Free up the memory associated to the attribute value templates
            
 
            avt:pointer to an list of AVT structures
            Function: xsltFreeRVTs
            void	xsltFreeRVTs			(xsltTransformContextPtr ctxt)
            
 
            Frees all registered result value trees (Result Tree Fragments) of the transformation. Internal function; should not be called by user-code.
            
@@ -709,7 +709,7 @@ void	xsltElemPreCompDeallocator	(
            Returns:the newly allocated xsltStylesheetPtr or NULL in case of error
            Function: xsltNumberFormat
            void	xsltNumberFormat		(xsltTransformContextPtr ctxt, 
            					 xsltNumberDataPtr data, 
            					 xmlNodePtr node)
            
 
            Convert one number.
            
-
            ctxt:the XSLT transformation context
            data:the formatting informations
            node:the data to format
            Function: xsltParseAnyXSLTElem
            int	xsltParseAnyXSLTElem		(xsltCompilerCtxtPtr cctxt, 
            					 xmlNodePtr elem)
            
+
            ctxt:the XSLT transformation context
            data:the formatting information
            node:the data to format
            Function: xsltParseAnyXSLTElem
            int	xsltParseAnyXSLTElem		(xsltCompilerCtxtPtr cctxt, 
            					 xmlNodePtr elem)
            
 
            Parses, validates the content models and compiles XSLT instructions.
            
 
            cctxt:the compilation context
            elem:the element node of the XSLT instruction
            Returns:0 if everything's fine; -1 on API or internal errors.
            Function: xsltParseSequenceConstructor
            void	xsltParseSequenceConstructor	(xsltCompilerCtxtPtr cctxt, 
            					 xmlNodePtr cur)
            
 
            Parses a "template" content (or "sequence constructor" in XSLT 2.0 terms). This will additionally remove xsl:text elements from the tree.
            
diff --git a/doc/html/libxslt-xsltutils.html b/doc/html/libxslt-xsltutils.html
index 155f050..d173415 100644
--- a/doc/html/libxslt-xsltutils.html
+++ b/doc/html/libxslt-xsltutils.html
@@ -127,7 +127,7 @@ void	xsltDropCallCallback		(void)
 
            Returns:the value of xslDebugStatus.
            Function: xsltGetNsProp
            xmlChar *	xsltGetNsProp		(xmlNodePtr node, 
            					 const xmlChar * name, 
            					 const xmlChar * nameSpace)
            
 
            Similar to xmlGetNsProp() but with a slightly different semantic Search and get the value of an attribute associated to a node This attribute has to be anchored in the namespace specified, or has no namespace and the element is in that namespace. This does the entity substitution. This function looks in DTD attribute declaration for #FIXED or default declaration values unless DTD use has been turned off.
            
 
            node:the node
            name:the attribute name
            nameSpace:the URI of the namespace
            Returns:the attribute value or NULL if not found. It's up to the caller to free the memory.
            Function: xsltGetProfileInformation
            xmlDocPtr	xsltGetProfileInformation	(xsltTransformContextPtr ctxt)
            
-
            This function should be called after the transformation completed to extract template processing profiling informations if availble. The informations are returned as an XML document tree like <?xml version="1.0"?> <profile> <template rank="1" match="*" name="" mode="" calls="6" time="48" average="8"/> <template rank="2" match="item2|item3" name="" mode="" calls="10" time="30" average="3"/> <template rank="3" match="item1" name="" mode="" calls="5" time="17" average="3"/> </profile> The caller will need to free up the returned tree with xmlFreeDoc()
            
+
            This function should be called after the transformation completed to extract template processing profiling information if availble. The information are returned as an XML document tree like <?xml version="1.0"?> <profile> <template rank="1" match="*" name="" mode="" calls="6" time="48" average="8"/> <template rank="2" match="item2|item3" name="" mode="" calls="10" time="30" average="3"/> <template rank="3" match="item1" name="" mode="" calls="5" time="17" average="3"/> </profile> The caller will need to free up the returned tree with xmlFreeDoc()
            
 
            ctxt:a transformation context
            Returns:the xmlDocPtr corresponding to the result or NULL if not available.
            Function: xsltGetQNameURI
            const xmlChar *	xsltGetQNameURI		(xmlNodePtr node, 
            					 xmlChar ** name)
            
 
            This function analyzes @name, if the name contains a prefix, the function seaches the associated namespace in scope for it. It will also replace @name value with the NCName, the old value being freed. Errors in the prefix lookup are signalled by setting @name to NULL. NOTE: the namespace returned is a pointer to the place where it is defined and hence has the same lifespan as the document holding it.
            
 
            node:the node holding the QName
            name:pointer to the initial QName value
            Returns:the namespace URI if there is a prefix, or NULL if @name is not prefixed.
            Function: xsltGetQNameURI2
            const xmlChar *	xsltGetQNameURI2	(xsltStylesheetPtr style, 
            					 xmlNodePtr node, 
            					 const xmlChar ** name)
            
@@ -142,8 +142,8 @@ void	xsltHandleDebuggerCallback	(xmlNodePtr cur, 
            					 xmlNodePtr node, 
            ctxt:an XSLT processing context
            node:The current node
            inst:The node containing the message instruction
            Function: xsltPrintErrorContext
            void	xsltPrintErrorContext		(xsltTransformContextPtr ctxt, 
            					 xsltStylesheetPtr style, 
            					 xmlNodePtr node)
            
 
            Display the context of an error.
            
 
            ctxt:the transformation context
            style:the stylesheet
            node:the current node being processed
            Function: xsltSaveProfiling
            void	xsltSaveProfiling		(xsltTransformContextPtr ctxt, 
            					 FILE * output)
            
-
            Save the profiling informations on @output
            
-
            ctxt:an XSLT context
            output:a FILE * for saving the informations
            Function: xsltSaveResultTo
            int	xsltSaveResultTo		(xmlOutputBufferPtr buf, 
            					 xmlDocPtr result, 
            					 xsltStylesheetPtr style)
            
+
            Save the profiling information on @output
            
+
            ctxt:an XSLT context
            output:a FILE * for saving the information
            Function: xsltSaveResultTo
            int	xsltSaveResultTo		(xmlOutputBufferPtr buf, 
            					 xmlDocPtr result, 
            					 xsltStylesheetPtr style)
            
 
            Save the result @result obtained by applying the @style stylesheet to an I/O output channel @buf
            
 
            buf:an output buffer
            result:the result xmlDocPtr
            style:the stylesheet
            Returns:the number of byte written or -1 in case of failure.
            Function: xsltSaveResultToFd
            int	xsltSaveResultToFd		(int fd, 
            					 xmlDocPtr result, 
            					 xsltStylesheetPtr style)
            
 
            Save the result @result obtained by applying the @style stylesheet to an open file descriptor This does not close the descriptor.
            
diff --git a/doc/libxslt-api.xml b/doc/libxslt-api.xml
index 1cf7c89..5309baf 100644
--- a/doc/libxslt-api.xml
+++ b/doc/libxslt-api.xml
@@ -1362,7 +1362,7 @@ preserve space elements'/>
 *'/>
       
       
+information are stored'/>
       
       
       
@@ -1451,7 +1451,7 @@ TODO: We need to get rid of this.
 *  refactored code.
 *'/>
       
-      
+      
       
       
       
@@ -1511,7 +1511,7 @@ TODO: We need to get rid of this.
       
       
       
-      
+      
       
       
       
@@ -1858,7 +1858,7 @@ exits'/>
       
       
       
-      
+      
     
     
       Dumps a list of the registered XSLT extension functions and elements
@@ -2085,7 +2085,7 @@ exits'/>
       
     
     
-      Find strip-space or preserve-space informations for an element respect the import precedence or the wildcards
+      Find strip-space or preserve-space information for an element respect the import precedence or the wildcards
       
       
       
@@ -2111,7 +2111,7 @@ exits'/>
       
       
       
-      
+      
     
     
       Implement the format-number() XSLT function string format-number(number, string, string?)
@@ -2296,7 +2296,7 @@ exits'/>
       
     
     
-      This function should be called after the transformation completed to extract template processing profiling informations if availble. The informations are returned as an XML document tree like <?xml version="1.0"?> <profile> <template rank="1" match="*" name="" mode="" calls="6" time="48" average="8"/> <template rank="2" match="item2|item3" name="" mode="" calls="10" time="30" average="3"/> <template rank="3" match="item1" name="" mode="" calls="5" time="17" average="3"/> </profile> The caller will need to free up the returned tree with xmlFreeDoc()
+      This function should be called after the transformation completed to extract template processing profiling information if availble. The information are returned as an XML document tree like <?xml version="1.0"?> <profile> <template rank="1" match="*" name="" mode="" calls="6" time="48" average="8"/> <template rank="2" match="item2|item3" name="" mode="" calls="10" time="30" average="3"/> <template rank="3" match="item1" name="" mode="" calls="5" time="17" average="3"/> </profile> The caller will need to free up the returned tree with xmlFreeDoc()
       
       
     
@@ -2539,7 +2539,7 @@ exits'/>
       Convert one number.
       
       
-      
+      
       
     
     
@@ -2856,10 +2856,10 @@ exits'/>
       
     
     
-      Save the profiling informations on @output
+      Save the profiling information on @output
       
       
-      
+      
     
     
       Save the result @result obtained by applying the @style stylesheet to an I/O output channel @buf
diff --git a/doc/libxslt-refs.xml b/doc/libxslt-refs.xml
index 3d2169f..d7b1094 100644
--- a/doc/libxslt-refs.xml
+++ b/doc/libxslt-refs.xml
@@ -5553,7 +5553,7 @@
           
           
         
-        
+        
           
           
           
@@ -6437,7 +6437,7 @@
           
           
         
-        
+        
           
         
         
diff --git a/libexslt/exsltconfig.h.in b/libexslt/exsltconfig.h.in
index b46ffc0..03b4b3b 100644
--- a/libexslt/exsltconfig.h.in
+++ b/libexslt/exsltconfig.h.in
@@ -1,5 +1,5 @@
 /*
- * exsltconfig.h: compile-time version informations for the EXSLT library
+ * exsltconfig.h: compile-time version information for the EXSLT library
  *
  * See Copyright for the status of this software.
  *
diff --git a/libxslt/extensions.c b/libxslt/extensions.c
index 30c3368..3589ef2 100644
--- a/libxslt/extensions.c
+++ b/libxslt/extensions.c
@@ -2061,7 +2061,7 @@ xsltExtElementPreCompTest(xsltStylesheetPtr style, xmlNodePtr inst,
  * @ctxt:  an XSLT processing context
  * @node:  The current node
  * @inst:  the instruction in the stylesheet
- * @comp:  precomputed informations
+ * @comp:  precomputed information
  *
  * Process a libxslt:test node
  */
diff --git a/libxslt/extra.c b/libxslt/extra.c
index 17df4ba..97aa262 100644
--- a/libxslt/extra.c
+++ b/libxslt/extra.c
@@ -50,7 +50,7 @@
  * @ctxt:  an XSLT processing context
  * @node:  The current node
  * @inst:  the instruction in the stylesheet
- * @comp:  precomputed informations
+ * @comp:  precomputed information
  *
  * Process an debug node
  */
diff --git a/libxslt/imports.c b/libxslt/imports.c
index 9277b4f..c11ee91 100644
--- a/libxslt/imports.c
+++ b/libxslt/imports.c
@@ -329,7 +329,7 @@ xsltNeedElemSpaceHandling(xsltTransformContextPtr ctxt) {
  * @ctxt:  an XSLT transformation context
  * @node:  an XML node
  *
- * Find strip-space or preserve-space informations for an element
+ * Find strip-space or preserve-space information for an element
  * respect the import precedence or the wildcards
  *
  * Returns 1 if space should be stripped, 0 if not, and 2 if everything
diff --git a/libxslt/numbers.c b/libxslt/numbers.c
index 9cd1cf3..2072c31 100644
--- a/libxslt/numbers.c
+++ b/libxslt/numbers.c
@@ -703,7 +703,7 @@ xsltNumberFormatGetValue(xmlXPathContextPtr context,
 /**
  * xsltNumberFormat:
  * @ctxt: the XSLT transformation context
- * @data: the formatting informations
+ * @data: the formatting information
  * @node: the data to format
  *
  * Convert one number.
@@ -879,7 +879,7 @@ xsltFormatNumberPreSuffix(xsltDecimalFormatPtr self, xmlChar **format, xsltForma
  * @self: the decimal format
  * @format: the format requested
  * @number: the value to format
- * @result: the place to ouput the result
+ * @result: the place to output the result
  *
  * format-number() uses the JDK 1.1 DecimalFormat class:
  *
diff --git a/libxslt/xsltInternals.h b/libxslt/xsltInternals.h
index 95e8fe6..5321e9a 100644
--- a/libxslt/xsltInternals.h
+++ b/libxslt/xsltInternals.h
@@ -290,7 +290,7 @@ struct _xsltTemplate {
     int inheritedNsNr;  /* number of inherited namespaces */
     xmlNsPtr *inheritedNs;/* inherited non-excluded namespaces */
 
-    /* Profiling informations */
+    /* Profiling information */
     int nbCalls;        /* the number of time the template was called */
     unsigned long time; /* the time spent in this template */
     void *params;       /* xsl:param instructions */
@@ -1512,7 +1512,7 @@ struct _xsltStylesheet {
      */
     xsltTemplatePtr templates;	/* the ordered list of templates */
     void *templatesHash;	/* hash table or wherever compiled templates
-				   informations are stored */
+				   information are stored */
     void *rootMatch;		/* template based on / */
     void *keyMatch;		/* template based on key() */
     void *elemMatch;		/* template based on * */
@@ -1730,7 +1730,7 @@ struct _xsltTransformContext {
 
     int              extrasNr;		/* the number of extras used */
     int              extrasMax;		/* the number of extras allocated */
-    xsltRuntimeExtraPtr extras;		/* extra per runtime informations */
+    xsltRuntimeExtraPtr extras;		/* extra per runtime information */
 
     xsltDocumentPtr  styleList;		/* the stylesheet docs list */
     void                 * sec;		/* the security preferences if any */
diff --git a/libxslt/xsltconfig.h b/libxslt/xsltconfig.h
index bea77e4..6cb5fd8 100644
--- a/libxslt/xsltconfig.h
+++ b/libxslt/xsltconfig.h
@@ -1,6 +1,6 @@
 /*
- * Summary: compile-time version informations for the XSLT engine
- * Description: compile-time version informations for the XSLT engine
+ * Summary: compile-time version information for the XSLT engine
+ * Description: compile-time version information for the XSLT engine
  *              this module is autogenerated.
  *
  * Copy: See Copyright for the status of this software.
diff --git a/libxslt/xsltconfig.h.in b/libxslt/xsltconfig.h.in
index b4cac6d..739515d 100644
--- a/libxslt/xsltconfig.h.in
+++ b/libxslt/xsltconfig.h.in
@@ -1,6 +1,6 @@
 /*
- * Summary: compile-time version informations for the XSLT engine
- * Description: compile-time version informations for the XSLT engine
+ * Summary: compile-time version information for the XSLT engine
+ * Description: compile-time version information for the XSLT engine
  *              this module is autogenerated.
  *
  * Copy: See Copyright for the status of this software.
diff --git a/libxslt/xsltutils.c b/libxslt/xsltutils.c
index ab981a4..9e9993e 100644
--- a/libxslt/xsltutils.c
+++ b/libxslt/xsltutils.c
@@ -1466,7 +1466,7 @@ xsltSaveResultTo(xmlOutputBufferPtr buf, xmlDocPtr result,
 	((style->method == NULL) ||
 	 (!xmlStrEqual(style->method, (const xmlChar *) "xhtml")))) {
         xsltGenericError(xsltGenericErrorContext,
-		"xsltSaveResultTo : unknown ouput method\n");
+		"xsltSaveResultTo : unknown output method\n");
         return(-1);
     }
 
@@ -1794,7 +1794,7 @@ xsltSaveResultToString(xmlChar **doc_txt_ptr, int * doc_txt_len,
 
 /************************************************************************
  *									*
- *		Generating profiling informations			*
+ *		Generating profiling information			*
  *									*
  ************************************************************************/
 
@@ -1954,9 +1954,9 @@ pretty_templ_match(xsltTemplatePtr templ) {
 /**
  * xsltSaveProfiling:
  * @ctxt:  an XSLT context
- * @output:  a FILE * for saving the informations
+ * @output:  a FILE * for saving the information
  *
- * Save the profiling informations on @output
+ * Save the profiling information on @output
  */
 void
 xsltSaveProfiling(xsltTransformContextPtr ctxt, FILE *output) {
@@ -2153,7 +2153,7 @@ xsltSaveProfiling(xsltTransformContextPtr ctxt, FILE *output) {
 
 /************************************************************************
  *									*
- *		Fetching profiling informations				*
+ *		Fetching profiling information				*
  *									*
  ************************************************************************/
 
@@ -2162,8 +2162,8 @@ xsltSaveProfiling(xsltTransformContextPtr ctxt, FILE *output) {
  * @ctxt:  a transformation context
  *
  * This function should be called after the transformation completed
- * to extract template processing profiling informations if availble.
- * The informations are returned as an XML document tree like
+ * to extract template processing profiling information if availble.
+ * The information are returned as an XML document tree like
  * 
  * 
  *