dev-libs/libxml2: fix CVE-2018-14404

Signed-off-by: Xiaoyong Zhou <xzhou@google.com>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>

2 files changed, 58 insertions, 0 deletions

diff --git a/dev-libs/libxml2/files/libxml2-2.9.8-CVE-2018-14404.patch b/dev-libs/libxml2/files/libxml2-2.9.8-CVE-2018-14404.patch
new file mode 100644
index 000000000000..59bfc0fa9b88
--- /dev/null
+++ b/dev-libs/libxml2/files/libxml2-2.9.8-CVE-2018-14404.patch
@@ -0,0 +1,54 @@
+From a436374994c47b12d5de1b8b1d191a098fa23594 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 30 Jul 2018 12:54:38 +0200
+Subject: [PATCH] Fix nullptr deref with XPath logic ops
+
+If the XPath stack is corrupted, for example by a misbehaving extension
+function, the "and" and "or" XPath operators could dereference NULL
+pointers. Check that the XPath stack isn't empty and optimize the
+logic operators slightly.
+
+Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5
+
+Also see
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817
+https://bugzilla.redhat.com/show_bug.cgi?id=1595985
+
+This is CVE-2018-14404.
+
+Thanks to Guy Inbar for the report.
+---
+ xpath.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/xpath.c b/xpath.c
+index 3fae0bf4e0a0..5e3bb9ff6401 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -13234,9 +13234,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+ 		return(0);
+ 	    }
+             xmlXPathBooleanFunction(ctxt, 1);
+-            arg1 = valuePop(ctxt);
+-            arg1->boolval &= arg2->boolval;
+-            valuePush(ctxt, arg1);
++            if (ctxt->value != NULL)
++                ctxt->value->boolval &= arg2->boolval;
+ 	    xmlXPathReleaseObject(ctxt->context, arg2);
+             return (total);
+         case XPATH_OP_OR:
+@@ -13252,9 +13251,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+ 		return(0);
+ 	    }
+             xmlXPathBooleanFunction(ctxt, 1);
+-            arg1 = valuePop(ctxt);
+-            arg1->boolval |= arg2->boolval;
+-            valuePush(ctxt, arg1);
++            if (ctxt->value != NULL)
++                ctxt->value->boolval |= arg2->boolval;
+ 	    xmlXPathReleaseObject(ctxt->context, arg2);
+             return (total);
+         case XPATH_OP_EQUAL:
+-- 
+2.19.1
+
diff --git a/dev-libs/libxml2/libxml2-2.9.8-r1.ebuild b/dev-libs/libxml2/libxml2-2.9.8-r1.ebuild
index 43da94cafedf..86521ab289ae 100644
--- a/dev-libs/libxml2/libxml2-2.9.8-r1.ebuild
+++ b/dev-libs/libxml2/libxml2-2.9.8-r1.ebuild
@@ -92,6 +92,10 @@ src_prepare() {
 	# https://bugzilla.gnome.org/show_bug.cgi?id=794914
 	eapply "${FILESDIR}"/${PN}-2.9.8-CVE-2018-14567.patch
 
+	# CVE-2018-14404
+	# https://gitlab.gnome.org/GNOME/libxml2/issues/5
+	eapply "${FILESDIR}"/${PN}-2.9.8-CVE-2018-14404.patch
+
 	if [[ ${CHOST} == *-darwin* ]] ; then
 		# Avoid final linking arguments for python modules
 		sed -i -e '/PYTHON_LIBS/s/ldflags/libs/' configure.ac || die