[xml/sgml-commit] [xmlsec1] 14/32: Imported Debian patch 1.2.14-1+squeeze1

[Rene Engelhard]

This is an automated email from the git hooks/post-receive script.

rene pushed a commit to branch experimental
in repository xmlsec1.

commit 8a99ad1b323314dda328ae66b4a567218a2eb485
Author: Thijs Kinkhorst <thijs at debian.org>
Date:   Wed Apr 13 08:23:07 2011 +0200

    Imported Debian patch 1.2.14-1+squeeze1
---
 apps/xmlsec.c    | 22 +++++++++++++++++++++-
 debian/changelog |  8 ++++++++
 2 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/apps/xmlsec.c b/apps/xmlsec.c
index f2fa9f6..952c9b5 100644
--- a/apps/xmlsec.c
+++ b/apps/xmlsec.c
@@ -24,6 +24,7 @@
 #include <libxslt/extensions.h> 
 #include <libxslt/xsltInternals.h>
 #include <libxslt/xsltutils.h>
+#include <libxslt/security.h>
 #include <libexslt/exslt.h>
 #endif /* XMLSEC_NO_XSLT */
 
@@ -2400,6 +2401,11 @@ xmlSecAppLoadKeys(void) {
 }
 
 static int intialized = 0;
+
+#ifndef XMLSEC_NO_XSLT
+static xsltSecurityPrefsPtr xsltSecPrefs = NULL;
+#endif /* XMLSEC_NO_XSLT */
+
 static int
 xmlSecAppInit(void) {
     if(intialized != 0) {
@@ -2414,7 +2420,20 @@ xmlSecAppInit(void) {
 #ifndef XMLSEC_NO_XSLT
     xmlIndentTreeOutput = 1; 
 #endif /* XMLSEC_NO_XSLT */
-        	
+    
+
+    /* Init libxslt */
+#ifndef XMLSEC_NO_XSLT
+    /* disable everything */
+    xsltSecPrefs = xsltNewSecurityPrefs(); 
+    xsltSetSecurityPrefs(xsltSecPrefs,  XSLT_SECPREF_READ_FILE,        xsltSecurityForbid);
+    xsltSetSecurityPrefs(xsltSecPrefs,  XSLT_SECPREF_WRITE_FILE,       xsltSecurityForbid);
+    xsltSetSecurityPrefs(xsltSecPrefs,  XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid);
+    xsltSetSecurityPrefs(xsltSecPrefs,  XSLT_SECPREF_READ_NETWORK,     xsltSecurityForbid);
+    xsltSetSecurityPrefs(xsltSecPrefs,  XSLT_SECPREF_WRITE_NETWORK,    xsltSecurityForbid);
+    xsltSetDefaultSecurityPrefs(xsltSecPrefs); 
+#endif /* XMLSEC_NO_XSLT */                
+    	
     /* Init xmlsec */
     if(xmlSecInit() < 0) {
 	fprintf(stderr, "Error: xmlsec intialization failed.\n");
@@ -2461,6 +2480,7 @@ xmlSecAppShutdown(void) {
     
     /* Shutdown libxslt/libxml */
 #ifndef XMLSEC_NO_XSLT
+    xsltFreeSecurityPrefs(xsltSecPrefs);
     xsltCleanupGlobals();            
 #endif /* XMLSEC_NO_XSLT */
     xmlCleanupParser();
diff --git a/debian/changelog b/debian/changelog
index d67de01..e364989 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+xmlsec1 (1.2.14-1+squeeze1) stable-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Apply patch from upstream addressing arbitrary file overwrite
+    (CVE-2011-1425, closes: #620560).
+
+ -- Thijs Kinkhorst <thijs at debian.org>  Wed, 13 Apr 2011 08:23:07 +0200
+
 xmlsec1 (1.2.14-1) unstable; urgency=low
 
   * New upstream release, fixes CVE-2009-3736 (Closes: #559831)

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/debian-xml-sgml/xmlsec1.git