[xml/sgml-commit] [xmlsec1] 09/32: Imported Debian patch 1.2.9-5+lenny1

[Rene Engelhard]

This is an automated email from the git hooks/post-receive script.

rene pushed a commit to branch experimental
in repository xmlsec1.

commit db66ffee496c11f6a4ff8f8157b7446079d51eea
Author: Thijs Kinkhorst <thijs at debian.org>
Date:   Wed Apr 13 11:57:24 2011 +0200

    Imported Debian patch 1.2.9-5+lenny1
---
 apps/xmlsec.c    | 22 +++++++++++++++++++++-
 debian/changelog |  8 ++++++++
 2 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/apps/xmlsec.c b/apps/xmlsec.c
index dd0f4d4..0e3e906 100644
--- a/apps/xmlsec.c
+++ b/apps/xmlsec.c
@@ -24,6 +24,7 @@
 #include <libxslt/extensions.h> 
 #include <libxslt/xsltInternals.h>
 #include <libxslt/xsltutils.h>
+#include <libxslt/security.h>
 #include <libexslt/exslt.h>
 #endif /* XMLSEC_NO_XSLT */
 
@@ -2352,6 +2353,11 @@ xmlSecAppLoadKeys(void) {
 }
 
 static int intialized = 0;
+
+#ifndef XMLSEC_NO_XSLT
+static xsltSecurityPrefsPtr xsltSecPrefs = NULL;
+#endif /* XMLSEC_NO_XSLT */
+
 static int
 xmlSecAppInit(void) {
     if(intialized != 0) {
@@ -2366,7 +2372,20 @@ xmlSecAppInit(void) {
 #ifndef XMLSEC_NO_XSLT
     xmlIndentTreeOutput = 1; 
 #endif /* XMLSEC_NO_XSLT */
-        	
+    
+
+    /* Init libxslt */
+#ifndef XMLSEC_NO_XSLT
+    /* disable everything */
+    xsltSecPrefs = xsltNewSecurityPrefs(); 
+    xsltSetSecurityPrefs(xsltSecPrefs,  XSLT_SECPREF_READ_FILE,        xsltSecurityForbid);
+    xsltSetSecurityPrefs(xsltSecPrefs,  XSLT_SECPREF_WRITE_FILE,       xsltSecurityForbid);
+    xsltSetSecurityPrefs(xsltSecPrefs,  XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid);
+    xsltSetSecurityPrefs(xsltSecPrefs,  XSLT_SECPREF_READ_NETWORK,     xsltSecurityForbid);
+    xsltSetSecurityPrefs(xsltSecPrefs,  XSLT_SECPREF_WRITE_NETWORK,    xsltSecurityForbid);
+    xsltSetDefaultSecurityPrefs(xsltSecPrefs); 
+#endif /* XMLSEC_NO_XSLT */                
+    	
     /* Init xmlsec */
     if(xmlSecInit() < 0) {
 	fprintf(stderr, "Error: xmlsec intialization failed.\n");
@@ -2413,6 +2432,7 @@ xmlSecAppShutdown(void) {
     
     /* Shutdown libxslt/libxml */
 #ifndef XMLSEC_NO_XSLT
+    xsltFreeSecurityPrefs(xsltSecPrefs);
     xsltCleanupGlobals();            
 #endif /* XMLSEC_NO_XSLT */
     xmlCleanupParser();
diff --git a/debian/changelog b/debian/changelog
index 62679d2..9a0cc43 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+xmlsec1 (1.2.9-5+lenny1) oldstable-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Apply patch from upstream addressing arbitrary file overwrite
+    (CVE-2011-1425, closes: #620560).
+
+ -- Thijs Kinkhorst <thijs at debian.org>  Wed, 13 Apr 2011 11:57:24 +0200
+
 xmlsec1 (1.2.9-5) unstable; urgency=low
 
   * Remove shlibs.local (Closes: #379445)

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/debian-xml-sgml/xmlsec1.git